2 - What does password in URL settings do?

2 - What does password in URL settings do?

by Mary Cooch -
Number of replies: 3
Picture of Documentation writers Picture of Moodle HQ Picture of Particularly helpful Moodlers Picture of Testers Picture of Translators

From the URL activity settings page

This secret phrase is used to produce encrypted code value that can be sent to some servers as a parameter. The encrypted code is produced by an md5 value of the current user IP address concatenated with your secret phrase. ie code = md5(IP.secretphrase). Please note that this is not reliable because IP address may change and is often shared by different computers.

Could someone explain this in plain English please so I can document it in plain English? (I'm sure TIm explained something similar before and I recall merely copying and pasting his words) Is it something to do with adding a password so that users who click on the URL can get straight to a password protected site? Or am I off target?

Average of ratings: -
In reply to Mary Cooch

Re: 2 - What does password in URL settings do?

by Mary Cooch -
Picture of Documentation writers Picture of Moodle HQ Picture of Particularly helpful Moodlers Picture of Testers Picture of Translators

Good grief - I posted this an hour ago and Tim hasn't replied. What is the world coming to?

Average of ratings: -
In reply to Mary Cooch

Re: 2 - What does password in URL settings do?

by Tim Hunt -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers

I don't know what the world came to, but I went to an orchestra rehearsal.

It probably helps to explain what problem the password solves.

Using the various options, you can make the URL point to something like http://other.system.com/script?userid=531675&user=Mary+Cooch&course=5, and going to that URL might let you use the other system as Mary Cooch.

Now, the problem with that is that anyone could type that URL. After all, I just did. So, the problem is, how can we make this more secure?

The answer is to compute some secret that only Moodle, and the other system can work out, and which only works for you. 

Doing md5(IP.secretphrase) is a reasonable approach. Because it contains your IP address, the computed value that is added to the URL will only work for someone sitting at your computer. Since it contains secretphrase, which presumably the admin has entered into both Moodle and the other sysem, it can only be computed by those to systems. The other system can be confident that if the password matches, the request really came from Moodle.

 

This is a fairly simple an hacky solution to this problem. A real solution is the IMS LTI module, that will almost certainly be part of Moodle 2.2. That uses a really secure method that is similar to the way that Twitter clients work, to establish a three-way triangle of trust between you as a user, the Moodle site you are logged in to, and the third-party system.

Average of ratings: Useful (1)