groton-school/slim-lti-partitioned-session

Negotiate CHIPS partitioned third party session cookies from an embedded LTI Tool

1.1.0 2025-08-07 12:21 UTC

This package is auto-updated.

Last update: 2025-08-07 21:32:55 UTC


README

Negotiate CHIPS partitioned third party session cookies from an embedded LTI Tool

Latest Version

Install

composer require groton-school/slim-lti-partitioned-session

Use

At the moment, this is a fairly rigidly-defined package.. In order for it to do its thing:

  1. PhpSession must be defined as a dependency.
  2. The cookie-negotiation Actions must be assigned to specific routes.
  3. SessionStartMiddleware and PartitionedSessionMiddleware must be added as middleware (in order) to routes that need access to the PHP session (including the cookie-negotiation routes and LTI OIDC launch routes)

See groton-school/slim-skeleton for sample usage.

How

Given the insidiuous prevalance of user-tracking web technologies, and the use of third-party cookies to facilitate them, many browsers have imposed hard limits on the use of third-party cookies. This is awkward, because the LTI standard is built on the assumption that a) third-party cookies will be readily available for the OIDC handshake and launch and b) most resources will be embedded in a third-party IFRAME context.

This package provides a modified LaunchHandler compatible with groton-school/slim-lti-shim that injects a third-party cookie test into the LTI Tool launch. This is paired with the PartitionedSession middleware that ensures that a) all session cookies are sent as both Secure and Partitioned (which is enough for Chromium-based browsers).

If third-party cookies cannot be initially set (as is the case when working with Safari and other WebKit-based browsers using ITP), a more interactive permissions-handshake with the user is required. The package negotiates this handshake and then uses the PartitionedSession middleware to resume the originally-launched LTI Tool session and provide the LTI resource.

sequence diagram