Third-party cookies and LTI

Third-party cookies and LTI

by Stuart Anderson -
Number of replies: 11

Hi,

I have two different versions of moodle running and I've noticed a different in behaviour when third-party cookies are disabled.  This is important because third-party tracking cookies are now blocked for all users by default in Firefox version 69.  This is also the default on Safari browsers, and Chrome are considering making this the default setting in the future.

When using moodle as a provided and embedding moodle quizzes into another VLE via LTI, on moodle 3.4.2 disabling third-party cookies has no detrimental effect.  Users can select the LTI link and moodle is nicely embedded in the consumer (Blackboard in my case).  

However, on moodle 3.7.2 if third-party cookies are disabled and the user selects an LTI link too moodle, LTI fails and they are bounced to the moodle login page.  The solution here is to set the LTI link to open in a new window, but that's not the behaviour I ideally want.

There might be differences between my consumer VLE systems, but I can't think what that might be as both are the same version of software.

Anyone else seeing odd behaviour when third-party cookies are disabled?  Any advice?

Thanks,

Stuart.

Average of ratings: -
In reply to Stuart Anderson

Re: Third-party cookies and LTI

by Daniel Thies -
Picture of Core developers Picture of Plugin developers Picture of Testers

Hello Stuart,

Are you running both instances on the same site (domain name)? If so there are some settings in Administration -> Server -> Session handling that may be helpful to distinguish them.

Average of ratings: Useful (1)
In reply to Daniel Thies

Re: Third-party cookies and LTI

by Stuart Anderson -

Thanks Daniel.  I've tried a few things.  I've set the session cookie to be prefixed with something unique and tried again.  Same result.  I've tried accessing the LTI link using a Chrome incognito session where there should be no clash of cookie session data.  Same result.

If I look in the browser console when third-party cookies are blocked and when using moodle version 3.7.2, for Chrome I see:

Uncaught DOMException: Failed to read the 'localStorage' property from 'Window': Access is denied for this document.
first.js:51

...for Firefox I see:

SecurityError: The operation is insecure.
first.js:51

I note that the first.js files are different between moodle versions  3.4.2 and 3.7.2, although line 51 is identical.  When selecting LTI links which point to moodle version 3.4.2 I don't get any javascript errors in the console.

So the issue is still a mystery.  What has changed between moodle versions 3.4.2 and 3.7.2 which prevent embedded LTI moodle sessions when third-party cookies are blocked?  Can anyone else reproduce this?

Best wishes,

Stuart


Average of ratings: -
In reply to Stuart Anderson

Re: Third-party cookies and LTI

by Daniel Thies -
Picture of Core developers Picture of Plugin developers Picture of Testers

first.js is a combination file which is generated to load a lot of js modules used by plugins including third party ones. It is possible one of those is doing something it is not suppose to. What is on line 51?

Average of ratings: -
In reply to Daniel Thies

Re: Third-party cookies and LTI

by Stuart Anderson -
Chrome reports the error as line 51, column 100. Here:

define('core/localstorage', ["core/config","core/storagewrapper"],function(a,b){var c=new b(window.localStorage);return{get:function(a){return c.get(a)},set:function(a,b){return c.set(a,b)}}});

So it can't find the localStorage for the window when third-party cookies are blocked.  It's still unclear why this error isn't thrown in the earlier version of moodle I have.

Best wishes,

Stuart
Average of ratings: -
In reply to Stuart Anderson

Re: Third-party cookies and LTI

by Daniel Thies -
Picture of Core developers Picture of Plugin developers Picture of Testers

It looks like core/storagewrapper was changed in 3.7 (MDL-64835) to address some caching problem.

Which theme are you using? It seems a little odd to me that js would be causing a login issue.

Average of ratings: -
In reply to Daniel Thies

Re: Third-party cookies and LTI

by Stuart Anderson -
Hi Daniel,

On both servers (old and new) we are using the Boost theme. I've purposefully kept everything as vanilla as possible. In this case, the old server was cloned to the test server and the test server then upgraded to the latest version of moodle. Therefore they are almost identical in setup, apart from the version of moodle running.

From a little digging around, accessing localstorage will throw a security error if the block third-party cookies box is ticked (which it is by default in some browsers). Still isn't clear why this doesn't impact on older versions of moodle and why opening the LTI activity in a new window doesn't trigger the issue. As it impacted on Chrome and Firefox, I can only assume this is normal behaviour. Whether it can be coded around, I do not know.
Average of ratings: -
In reply to Stuart Anderson

Re: Third-party cookies and LTI

by Daniel Thies -
Picture of Core developers Picture of Plugin developers Picture of Testers

Do the urls have separate domains or the same domain name?

Average of ratings: Useful (1)
In reply to Daniel Thies

Re: Third-party cookies and LTI

by Stuart Anderson -
Same domain name of the two moodle provider services but different in the consumer services - summary below.  

However, in writing this out, you have flagged up that one key difference is that our production service embeds a moodle instance belonging to the same domain.  But in the test environment, they are different domains.  Though I don't have great knowledge of how this should work, it would seem plausible that where we have the same domain between provider and consumer, the cookies that moodle sets are considered as first-party cookies and not blocked so everything works.  But in the test environment the domains are different, and therefore the cookies that moodle sets are treated as third-party and blocked, breaking LTI embedding.  What do you think?

Production service

  • Blackboard consumer: online.manchester.ac.uk (Release 3700.0.2-rel.36+fbf2221)
  • Moodle providerstack.fse.manchester.ac.uk (Version 3.4.2)

Outcome: LTI embedded moodle quizzes open normally within Blackboard.

Test service (PPD)

  • Blackboard consumer: manchester-ppd.blackboard.com (Release 3700.0.2-rel.36+fbf2221)
  • Moodle providervm-stack-t01.its.manchester.ac.uk (Version 3.7.2)
On the PPD server I set a cookie prefix in the session handling admin settings to "ppd".  Everything else under session handling is set with the defaults.

Outcome: LTI embedded moodle quizzes fail to open correctly in Blackboard and instead bounce the user to a login screen embedding within Blackboard.


As a test of my theory about what is going on, I'll see if I can prove this by requesting that our production moodle is registered as an allowed LTI provide on our PPD consumer Blackboard which has a different domain. That will strongly indicate if the issue is down to the version of moodle or a domain issue.

Thanks for your support on this.

Stuart

Average of ratings: -
In reply to Stuart Anderson

Re: Third-party cookies and LTI

by Stuart Anderson -
Dear Daniel,

Thanks for helping to direct my trail of thought on this. My testing would strongly indicate that the issue I was experiencing was due to using different different domains on the test environment. What it means is that when we upgrade the production environment we shouldn't experience any issues as both will be running on the same domain. I'll document this in our service notes so that no one gets caught out by this in the future.

Best wishes,

Stuart
Average of ratings: -
In reply to Stuart Anderson

Re: Third-party cookies and LTI

by Daniel Thies -
Picture of Core developers Picture of Plugin developers Picture of Testers

Hello Stuart,

Thanks for the information. I was a able to set up a test system and have been able to reproduce it. It does seem to be related to the issue I mentioned above. Upgrading will cause the problem on you production system so I would hold up if possible.

Daniel

Average of ratings: -
In reply to Daniel Thies

Re: Third-party cookies and LTI

by Stuart Anderson -

Hi Daniel,

We might have our wires crossed here.  The issue I was experiencing was definitely down to my original testing setup having two difference domains.  I've managed to convince my IT department to authorise the URL to my upgraded (latest version) moodle against my current production Blackboard VLE service.  Both have the same domain name and when third-party cookies are set to be blocked, the issue I experienced when the domains were different does not occur.  

So in summary, in a setup with a consumer service linking to the latest version of moodle via LTI, as long as they both belong to the same URL domain no issues will be experienced if third-party cookies are blocked.

Thanks,

Stuart


Average of ratings: Useful (1)