Merge branch 'MDL-79712-main' of https://github.com/snake/moodle

abgreeve · Apr 2, 2024 · d1613e3 · d1613e3
2 parents 07680ea + 30e2af6
commit d1613e3
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 13 deletions.
diff --git a/auth/lti/classes/local/ltiadvantage/event/event_handler.php b/auth/lti/classes/local/ltiadvantage/event/event_handler.php
@@ -35,16 +35,14 @@ class event_handler {
      * @return void
      */
     public static function handle_user_loggedin(user_loggedin $event): void {
-        // The event data isn't important here. The intent of this listener is to ensure that the MoodleSession cookie gets the
-        // 'Partitioned' attribute, when required - an opt-in flag needed to use Chrome's partitioning mechanism, CHIPS. During LTI
-        // auth, the auth class (auth/lti/auth.php) calls complete_user_login(), which generates a new session cookie as part of its
-        // login process. This handler makes sure that this new cookie is intercepted and partitioned, if needed.
+        // The event data isn't important here. The intent of this listener is to ensure that the MoodleSession cookie is set up
+        // properly during LTI launches + login. This means two things:
+        // i) it's set with SameSite=None; Secure; where possible (since OIDC needs HTTPS this will almost always be possible).
+        // ii) it set with the 'Partitioned' attribute, when required.
+        // The former ensures cross-site cookies are sent for embedded launches. The latter is an opt-in flag needed to use Chrome's
+        // partitioning mechanism, CHIPS.
         if (cookie_helper::cookies_supported()) {
-            if (cookie_helper::get_cookies_supported_method() == cookie_helper::COOKIE_METHOD_EXPLICIT_PARTITIONING) {
-                global $CFG;
-                cookie_helper::add_attributes_to_cookie_response_header('MoodleSession' . $CFG->sessioncookie,
-                    ['Partitioned', 'Secure']);
-            }
+            cookie_helper::setup_session_cookie();
         }
     }
 }
diff --git a/auth/lti/classes/local/ltiadvantage/utility/cookie_helper.php b/auth/lti/classes/local/ltiadvantage/utility/cookie_helper.php
@@ -157,10 +157,8 @@ public static function do_cookie_check(\moodle_url $pageurl): void {
                 // Set a session flag storing the method used to set it, and make sure the session cookie uses this method.
                 $cookiemethod = $cookie1received ? self::COOKIE_METHOD_NO_PARTITIONING : self::COOKIE_METHOD_EXPLICIT_PARTITIONING;
                 $SESSION->auth_lti_cookie_method = $cookiemethod;
-                if ($cookiemethod === self::COOKIE_METHOD_EXPLICIT_PARTITIONING) {
-                    // This assumes secure is set, since that's the only way a paritioned test cookie have been set.
-                    self::add_attributes_to_cookie_response_header('MoodleSession'.$CFG->sessioncookie, ['Partitioned', 'Secure']);
-                }
+
+                self::setup_session_cookie();
             }
         }
     }
@@ -210,6 +208,24 @@ private static function expire_moodlesession(): void {
         }
     }
 
+    /**
+     * Sets up the session cookie according to the method used in the cookie check, and with SameSite=None; Secure attributes.
+     *
+     * @return void
+     */
+    public static function setup_session_cookie(): void {
+        global $CFG;
+        require_once($CFG->libdir . '/sessionlib.php');
+
+        if (is_moodle_cookie_secure()) {
+            $atts = ['SameSite=None', 'Secure'];
+            if (self::get_cookies_supported_method() == self::COOKIE_METHOD_EXPLICIT_PARTITIONING) {
+                $atts[] = 'Partitioned';
+            }
+            self::add_attributes_to_cookie_response_header('MoodleSession' . $CFG->sessioncookie, $atts);
+        }
+    }
+
     /**
      * Set a test cookie, using SameSite=None; Secure; attributes if possible, and with or without partitioning opt-in.
      *