Hi all,
We have an issue adding LTI ContentItem items from non-local LTI providers like h5p.com. We currently have SameSite=lax (the default). On latest Chrome, h5p issues a POST to
"POST /portal/tool/TOOLID/sakai.basiclti.admin.helper.helper?eventSubmit_doSingleContentItemResponse=Save&flow=lessons&sakai.session=SESSIONID&returnUrl=https%3A%2F%2Fvula.uct.ac.za%2Fportal%2Fsite%2F79f7e453-662b-4465-94bd-606506a3b250%2Ftool%2F3d70fb1b-670f-46e4-b91c-30820033bedc%2FBltiPicker%3F83977%26itemId%3D-1%26addBefore%3D&panel=PostContentItem&tool_id=195&sakai_csrf_token=TOKEN
The SESSIONID is what would normally be in the JSESSIONID cookie, except that the POST request does not include this as a cookie. We use mod_jk as load-balancer which does not pay attention to the sakai.session request parameter (it uses the JSESSIONID cookie for app server affinity) and can send this request to another app server on which the specified sakai.session is not valid, and so the request fails because it’s not authenticated.
It seems SameSite=none might work around this but is undesirable. Is the requirement that load-balancers need to also pay attention to the sakai.session parameter for app server affinity? If so, does anyone have a working configuration for apache + mod_jk (or any other working load-balancer configuration for this, e.g. apache + mod_proxy_ajp).
Cheers
Stephen
---
Stephen Marquard, Acting Deputy Director
Centre for Innovation in Learning and Teaching
(CILT)
University of Cape Town
http://www.cilt.uct.ac.za
stephen....@uct.ac.za
Phone: +27-21-650-5037 Cell: +27-83-500-5290
ProxyPass / balancer://sakaicluster/ stickysession=JSESSIONID|sakai.session
Balancer sticky session name. The value is usually set to something like
JSESSIONID
orPHPSESSIONID
, and it depends on the backend application server that support sessions. If the backend application server uses different name for cookies and url encoded id (like servlet containers) use | to separate them. The first part is for the cookie the second for the path.Available in Apache HTTP Server 2.4.4 and later.
--
You received this message because you are subscribed to the Google Groups "Sakai Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sakai-dev+...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/sakai-dev/AM6PR03MB5847566429BBD61411B4A2BED3BC0%40AM6PR03MB5847.eurprd03.prod.outlook.com.
Hi everyone
We ended up going with this configuration in our apache 2.4 + mod_jk 1.2 config:
<Location /portal/tool/>
SetHandler jakarta-servlet
SetEnvIfExpr "%{QUERY_STRING} =~ /sakai.session=[0-9a-f-]{36}.(vula[0-9ab]{4})/" JK_ROUTE=$1
</Location>
which routes the request to the right node. There may be a simpler or more general configuration for this, but the above does seem to work. Note the regexp matches our worker names explicitly so this is site-specific.
This seems like something of a configuration “gotcha” for using LTI ContentItem perhaps should be documented more explicitly somewhere, or we should site SameSite=none by default (though less secure).
Regards
Stephen
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/sakai-dev/AM6PR03MB584744FB501F5BCC32B16A62D3BB0%40AM6PR03MB5847.eurprd03.prod.outlook.com.
You received this message because you are subscribed to a topic in the Google Groups "Sakai Development" group.
To unsubscribe from this topic, visit https://groups.google.com/a/apereo.org/d/topic/sakai-dev/GSUHzMGcpl0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to sakai-dev+...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/sakai-dev/a1977ce0-76b3-499d-82f6-85c18cb4249bn%40apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/sakai-dev/7ff14d7d-2f04-4064-b10e-7fd1a40a5436n%40apereo.org.