Unfamiliar error message

[Tom Salyers]

Hi, all.

I've bugged Christian about this, but I wanted to throw it out there just in case anyone else has run across something similar.

A couple of the Numbas quizzes they're testing in Blackboard have started reporting this:

It doesn't seem to happen consistently, but it *does* seem to happen more often on two particular quizzes from our Advanced Manufacturing Research Center (AMRC) and more often on machines connected via our VPN as opposed to our managed desktop (Yoyo) machines.

I'm not quite sure why we're getting this--the LTI provider and the PostgreSQL database live on the same machine, so they shouldn't have trouble talking to each other. One of the theories we're working with is that these AMRC quizzes are older (apparently a year or more) and there might be some kind of version mismatch between their SCORM objects and Numbas or Blackboard.

(As an additional data point, it doesn't seem to happen on our Blackboard staging system, which is on version 3900.17, as opposed to 3900.15 on our production system. I'm not sure if that's contributing to it, though.)

Has anyone seen something like this, and if so, how did you fix it? Thanks in advance for any help/advice.

--

Tom Salyers, MBCS
Senior Education Developer/System Administrator

The University of Sheffield
IT Services

[Christian Lawson-Perfect]

Hi Tom,

That message is about the connection between the client (the student's device) and the LTI provider.

If it happens very often, you could try looking at the browser's developer console to see why the websocket and AJAX fallback connections aren't working.

Christian

--
You received this message because you are subscribed to the Google Groups "Numbas Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to numbas-users...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/numbas-users/9b95193b-fded-4ce3-91ff-4e11de53cbe4n%40googlegroups.com.

[Tom Salyers]

Hi, Christian.

Thanks--that makes sense. I can't reproduce it on my own machine (yet), but I'll see if I can walk the people experiencing the problem through getting me a screenshot of the developer console.

--

Tom Salyers, MBCS
Senior Education Developer/System Administrator

The University of Sheffield
IT Services

[Tom Salyers]

Hi, Christian.

I couldn't fit an entire screenshot of the developer console log in here, as there's quite a bit, but it looks like it's a repetition of the same three entries below over and over. I'm guessing the relevant bit is the "CSRF verification failed . Request aborted. " one. Is that a Django fix, or an Nginx configuration thing? 

api.f016d8d19766.js:608 POST https://numbas.shef.ac.uk/attempt/103/scorm_data_fallback?resource_link_id=_5311990_1 403 (Forbidden)
send_ajax @ api.f016d8d19766.js:608
send_ajax_interval @ api.f016d8d19766.js:72
setTimeout (async)
SCORM_API @ api.f016d8d19766.js:75
(anonymous) @ 103?resource_link_id=_5311990_1:80

---------------------

api.f016d8d19766.js:627 SCORM HTTP fallback error message:
<!DOCTYPE html>
<html lang="en">
<head>
  <meta http-equiv="content-type" content="text/html; charset=utf-8">
  <meta name="robots" content="NONE,NOARCHIVE">
  <title>403 Forbidden</title>
  <style type="text/css">
    html * { padding:0; margin:0; }
    body * { padding:10px 20px; }
    body * * { padding:0; }
    body { font:small sans-serif; background:#eee; color:#000; }
    body>div { border-bottom:1px solid #ddd; }
    h1 { font-weight:normal; margin-bottom:.4em; }
    h1 span { font-size:60%; color:#666; font-weight:normal; }
    #info { background:#f6f6f6; }
    #info ul { margin: 0.5em 4em; }
    #info p, #summary p { padding-top:10px; }
    #summary { background: #ffc; }
    #explanation { background:#eee; border-bottom: 0px none; }
  </style>
</head>
<body>
<div id="summary">
  <h1>Forbidden <span>(403)</span></h1>
  <p>CSRF verification failed. Request aborted.</p>


</div>

<div id="explanation">
  <p><small>More information is available with DEBUG=True.</small></p>
</div>

</body>
</html>

--------------------

(anonymous) @ api.f016d8d19766.js:627
Promise.then (async)
(anonymous) @ api.f016d8d19766.js:626
(anonymous) @ api.f016d8d19766.js:625
Promise.then (async)
send_ajax @ api.f016d8d19766.js:622
send_ajax_interval @ api.f016d8d19766.js:72
setTimeout (async)
SCORM_API @ api.f016d8d19766.js:75
(anonymous) @ 103?resource_link_id=_5311990_1:80
api.f016d8d19766.js:665 Failed to send SCORM data over HTTP
ajax_failed @ api.f016d8d19766.js:665
(anonymous) @ api.f016d8d19766.js:628
Promise.then (async)
(anonymous) @ api.f016d8d19766.js:626
(anonymous) @ api.f016d8d19766.js:625
Promise.then (async)
send_ajax @ api.f016d8d19766.js:622
send_ajax_interval @ api.f016d8d19766.js:72
setTimeout (async)
SCORM_API @ api.f016d8d19766.js:75
(anonymous) @ 103?resource_link_id=_5311990_1:80

[Johan Slabbert]

Just a question (no answer) in which browser is this and what version? 

Johan Slabbert
Educational Technology Project Manager (University of Pretoria)

To view this discussion on the web, visit https://groups.google.com/d/msgid/numbas-users/706013d2-4b66-481f-ba4b-acea61e5fd41n%40googlegroups.com.

This message and attachments are subject to a disclaimer.
Please refer to http://upnet.up.ac.za/services/it/documentation/docs/004167.pdf for full details.

[Tom Salyers]

It's happening in a few different browsers, but the one I've been testing with most recently is Chrome 91 on Windows.

[Tom Salyers]

Just as a data point, I can't seem to reproduce the problem in recent versions of Firefox, Edge, or Vivaldi--they all just happily get on with rendering and handling requests.

[Christian Lawson-Perfect]

I've just had a go with Chrome 91, and it's working fine, so it's not completely broken. Tom - roughly how often do you get this problem? Does it happen immediately, or only after a certain amount of time?

The "CSRF verification failed" message makes me think the problem is down to cookies. Can you look at the csrftoken cookie set by your Numbas LTI server, and check it matches mine: I have a tick under "Secure", and "None" under "SameSite". You could also check the expiry time, just in case that's the problem.

To view this discussion on the web, visit https://groups.google.com/d/msgid/numbas-users/974020d5-a0bf-4ff9-ae82-51662d08a955n%40googlegroups.com.

[Tom Salyers]

Hi, Christian.

It happens pretty consistently with this one set of quizzes our engineering department has set up, and it happens either immediately or within a second or two of loading them.

I had a look at the csrftoken cookie, and the expiration date is fine--it's in July 2022. It's marked as "Secure" and has "None" under "SameSite" like yours...but mine is also marked as "HttpOnly". Over in the main Chrome settings, it says "Accessible to script: No (HttpOnly)"....I'm guessing this could be part of the problem.

--

Tom Salyers, MBCS
Senior Education Developer/System Administrator

The University of Sheffield
IT Services

[Tom Salyers]

Update: I just tried removing the HttpOnly attribute from that cookie, and the error message has gone away...at least for now. I may have to have a word with the security testing application that suggested/required that setting being put in place. :P

--

Tom Salyers, MBCS
Senior Education Developer/System Administrator

The University of Sheffield
IT Services

[Christian Lawson-Perfect]

Yes, that would do it! I'll add a note to the documentation.

To view this discussion on the web, visit https://groups.google.com/d/msgid/numbas-users/6abe7cee-9167-4c0f-b683-8f58e77ba634n%40googlegroups.com.