groton-school/slim-lti-partitioned-session

Negotiate CHIPS partitioned third party session cookies from an embedded LTI Tool

Maintainers

Details

github.com/groton-school/slim-lti-partitioned-session

Source

Issues

Installs: 152

Dependents: 0

Suggesters: 0

Security: 0

Stars: 0

Watchers: 0

Forks: 0

Open Issues: 1

1.3.4 2025-08-19 01:02 UTC

Requires

Requires (Dev)

GPL-3.0 2307b1b8f969d6d7cd8b3dab2ad8f23f0ac3b1c2

  • Seth Battis <sbattis.woop@groton.org>

This package is auto-updated.

Last update: 2025-08-19 01:02:59 UTC

README

Negotiate CHIPS partitioned third party session cookies from an embedded LTI Tool

Latest Version

Caution

This package is likely going to be fragmented into three separate, more-focused packages in the near future: one to implement a partitioned session cookie version of Odan\Session\PhpSession, one to negotiate the third-party cookie on the Slim Framework, and one to implement the LTI LaunchHandler that directs into the third-party cookie negoation.

Install

composer require groton-school/slim-lti-partitioned-session

Use

This implementation expects a default slim-skeleton and relies on groton-school/slim-lti-shim and packbackbooks/lti-1p3-tool for core LTI Tool functionality.

  1. Optionally, implement SettingsInterface -- alternativelyDefaultSettings are available

  2. Define the dependency on either your SettingsInterface implementaton or the DefaultSettings implementation

  3. Inject remaining dependencies

  4. Register the cookie-negotiation routes

groton-school/slim-skeleton@dev-gae/lti-tool

groton-school/slim-skeleton is the canonical example of how this shim is meant to be used.

How

Given the insidiuous prevalance of user-tracking web technologies, and the use of third-party cookies to facilitate them, many browsers have imposed hard limits on the use of third-party cookies. This is awkward, because the LTI standard is built on the assumption that a) third-party cookies will be readily available for the OIDC handshake and launch and b) most resources will be embedded in a third-party IFRAME context.

This package provides a modified LaunchHandler compatible with groton-school/slim-lti-shim that injects a third-party cookie test into the LTI Tool launch. This is paired with the PartitionedSession middleware that ensures that a) all session cookies are sent as both Secure and Partitioned (which is enough for Chromium-based browsers).

If third-party cookies cannot be initially set (as is the case when working with Safari and other WebKit-based browsers using ITP), a more interactive permissions-handshake with the user is required. The package negotiates this handshake and then uses the PartitionedSession middleware to resume the originally-launched LTI Tool session and provide the LTI resource.

sequence diagram