Closed Alex-Jordan closed 3 months ago
In Chrome I see this:
So I looked and saw that I can set $CookieSecure = 1;
in localOverrides.conf
. I've done that and things work now in Chrome. Is there a down side I should know about to setting $CookieSecure = 1;
?
Should I be using $CookieSameSite = "Lax";
instead of $CookieSameSite = "None";
?
And is there a recommendation for using $useSessionCookie = 1
? I am seeing that I just was rolling with the defaults.
So I looked and saw that I can set
$CookieSecure = 1;
inlocalOverrides.conf
. I've done that and things work now in Chrome. Is there a down side I should know about to setting$CookieSecure = 1;
?
If you are using SameSite "None", then you need a secure cookie. There is no downside to using $CookieSecure = 1;
, and in fact, on a production server with SSL you always should be using that. There is a downside to using $CookieSecure = 0;
. Any browser will reject a SameSite "None" cookie that is not secure. You say Firefox and Safari don't? They should.
I don't like that we set the default for $CookieSecure
to 0. We do that for those that do not have SSL certificates. If you don't have SSL certificates, you can't use $CookieSecure = 1
. However, most systems in production will have SSL certificates, and the default won't work right. Really, regardless of the SameSite setting, if you have SSL, you should use $CookieSecure = 1
. In addition, localhost
is considered a secure site even without SSL certificates by browsers. So even when testing in development on localhost
you can use $CookieSecure = 1
.
You should be using CookieSameSite = "Lax"
in localOverrides.conf (or really, don't override that setting because that is the default in defaults.conf
). When a content item selection request is used, a SameSite "None" cookie will be used in any case (that is a special override in the code for content item selection). If you use SameSite "None" with CookieSecure set to 1, then Safari and Google Chrome will block cookies (unless you allow third party cookies). You don't want your students to need to worry about doing that.
You should be using CookieSameSite = "Lax"
OK, I see that is what I actually had. The content select cookie using SameSite "None" was making me think that is what the default was.
And yes, my experience was that with $CookieSecure = 0
, Firefox and Safari were allowing the LTI content select tool to work. I have looked and I don't think I have any special exceptions in those browsers. And at least one other person who works in Online Learning was able to get the tool to work after switching from Chrome to Firefox (and that person did not have an understanding of the details of this issue—there is no reason to think they intentionally changed some Firefox setting either).
Do we understand why LTI Content Selection might work in Firefox and Safari, but not in Chrome? It is working for me with FF and Safari, with no changes to configuration. Safari has "Prevent cross-site teaching" checked, and the Content Selection tool still works from D2L. Firefox has "Standard" protection mode, which blocks "Cross-site cookies in all windows", and the tool still works.
But it's not working in Chrome for me or other faculty.