drgrice1
commented
5 months ago Note that this is part 1 of 3 in a rather exhaustive revamp of webwork2's authentication system.
Closed drgrice1 closed 4 months ago
drgrice1
commented
5 months ago Note that this is part 1 of 3 in a rather exhaustive revamp of webwork2's authentication system.
pstaabp
commented
5 months ago Is the switch to mojolicious cookies the code in the session subroutine in the Controller module? Overall, except for that, it seems to be mostly some code cleanup and documentation improvement.
drgrice1
commented
5 months ago Most of it is just code clean up. I tried to put all of that into this pull request so that once this is merged, the other pull requests are more transparent as to what they are doing. The main part of the code for switching to Mojolicious cookie is the session subroutine in the WeBWorK::Controller module (as you observed), and the calls to that method in the fetchCookie, sendCookie, and killCookie methods of WeBWorK::Authen.
Alex-Jordan
commented
4 months ago Tested some, with no problems.
The primary advantage of this switch is that now cookies are signed. That means that unlike webwork2's current cookies, the data stored in the session cookies can be trusted to not have been tampered with. Note that setting the secrets in the
conf/webwork2.mojolicious.ymlfile is now important (and not just something that we tell system administrators to do). That secret is the private key that is used to sign cookies.The documentation on session management in defaults.config and localOverrides.conf.dist has been updated. Most of that was obsolete nonsense.
Note that the $debugPracticeUser has been removed. As stated in the comments about it in defaults.config, "Why de we even have this?"