I ran into a rather scary problem today. I set up a course in Moodle (2.4) as LTI Provider and invited different Moodle admins to connect to it from their Moodle sites. One person connected under a wrong identity (excuse my English).
Let's call them Alice and Beth. They both have a Moodle site (version 2.2) with admin role hosted on the same server. Alice roamed to my Moodle course through external tool activity (LTI) at 16:08 and didn't logout according to Moodle's log. Later Beth tried to access the same way, but got authentified under Alice's name. Wrong identity! In the log, I see a second login (16:37) under Alice's name. No Beth user created.
Both users come from different IP addresses. How can one connect under someone else's identity?
Of course, they both connect with the same secret key.