groton-school / slim-lti-partitioned-session
Negotiate CHIPS partitioned third party session cookies from an embedded LTI Tool
Requires
- dflydev/fig-cookies: dev-feat/chips
- groton-school/slim-lti-shim: ^2.1.0
- odan/session: ^6.4
- psr/http-message: ^2.0
- slim/http: ^1.4
- slim/php-view: ^3.4
Requires (Dev)
README
Negotiate CHIPS partitioned third party session cookies from an embedded LTI Tool
Install
composer require groton-school/slim-lti-partitioned-session
Use
At the moment, this is a fairly rigidly-defined package.. In order for it to do its thing:
PhpSession
must be defined as a dependency.- The cookie-negotiation Actions must be assigned to specific routes.
SessionStartMiddleware
andPartitionedSessionMiddleware
must be added as middleware (in order) to routes that need access to the PHP session (including the cookie-negotiation routes and LTI OIDC launch routes)
See groton-school/slim-skeleton for sample usage.
How
Given the insidiuous prevalance of user-tracking web technologies, and the use of third-party cookies to facilitate them, many browsers have imposed hard limits on the use of third-party cookies. This is awkward, because the LTI standard is built on the assumption that a) third-party cookies will be readily available for the OIDC handshake and launch and b) most resources will be embedded in a third-party IFRAME context.
This package provides a modified LaunchHandler
compatible with groton-school/slim-lti-shim that injects a third-party cookie test into the LTI Tool launch. This is paired with the PartitionedSession
middleware that ensures that a) all session cookies are sent as both Secure
and Partitioned
(which is enough for Chromium-based browsers).
If third-party cookies cannot be initially set (as is the case when working with Safari and other WebKit-based browsers using ITP), a more interactive permissions-handshake with the user is required. The package negotiates this handshake and then uses the PartitionedSession
middleware to resume the originally-launched LTI Tool session and provide the LTI resource.