Session ID
10 views
Skip to first unread message
sha...@vt.edu
Mar 26, 2025, 3:23:21 PMMar 26
to SPLICE Smart Learning Content Protocol
Cay -- Raising a topic related to, but an evolution from, the discussion on controlling who can request an exercise.
Talking with Steve today, we came to the conclusion that it would be a good idea for the SPLICE protocol to explicitly adopt support for having the server issue some sort of session ID to the client, who would then refer to that session ID for all future associated traffic. This would subsume the issue of controlling who has access (if the server doesn't like you, it can just not give you an ID that it recognizes, and then not accept future communications that don't have a valid ID).
But more generally, it lets the server keep track of all incoming events and other traffic associated with a particular session (use) of a particular exercise.
What do you think of this idea?
-- Cliff
Cay Horstmann
Mar 30, 2025, 10:48:48 AMMar 30
to splice-smart-learni...@googlegroups.com
Hi, I am not sure I understand how such a session ID is used.
If the smart learning element (the one inside the iframe) does not talk to a third party, then there is no need for a session ID. The embedding page can already track the source of any postMessage messages that it receives.
I could potentially see a utility if there is a third party server that the smart learning element contacts.
embedding page
embedded iframe --------------> third party server
Is that the scenario of interest? Who will consume the session ID? It's really only useful if the third party server contacts the server that generated the embedding page.
Right now the spec provides for
user_id: an optional unique and opaque user ID,
context_id: an optional unique and opaque ID of the context
(such as a course assignment or ebook section)
Is that not enough? We can add an optional session_id to the getState response.
Keep in mind that the server can send anything to the client in the getState response. The only value of adding session_id to the spec is to reserve that name.
Cheers,
Cay
Il 26/03/25 20:23, sha...@vt.edu ha scritto:
> --
> You received this message because you are subscribed to the Google Groups "SPLICE Smart Learning Content Protocol" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to splice-smart-learning-con...@googlegroups.com <mailto:splice-smart-learning-con...@googlegroups.com>.
> To view this discussion visit https://groups.google.com/d/msgid/splice-smart-learning-content-protocol/cbd25dfe-0674-47b0-899b-2f23ca3fba15n%40googlegroups.com <https://groups.google.com/d/msgid/splice-smart-learning-content-protocol/cbd25dfe-0674-47b0-899b-2f23ca3fba15n%40googlegroups.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout <https://groups.google.com/d/optout>.
--
Cay S. Horstmann | https://horstmann.com
If the smart learning element (the one inside the iframe) does not talk to a third party, then there is no need for a session ID. The embedding page can already track the source of any postMessage messages that it receives.
I could potentially see a utility if there is a third party server that the smart learning element contacts.
embedding page
embedded iframe --------------> third party server
Is that the scenario of interest? Who will consume the session ID? It's really only useful if the third party server contacts the server that generated the embedding page.
Right now the spec provides for
user_id: an optional unique and opaque user ID,
context_id: an optional unique and opaque ID of the context
(such as a course assignment or ebook section)
Is that not enough? We can add an optional session_id to the getState response.
Keep in mind that the server can send anything to the client in the getState response. The only value of adding session_id to the spec is to reserve that name.
Cheers,
Cay
Il 26/03/25 20:23, sha...@vt.edu ha scritto:
> You received this message because you are subscribed to the Google Groups "SPLICE Smart Learning Content Protocol" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to splice-smart-learning-con...@googlegroups.com <mailto:splice-smart-learning-con...@googlegroups.com>.
> To view this discussion visit https://groups.google.com/d/msgid/splice-smart-learning-content-protocol/cbd25dfe-0674-47b0-899b-2f23ca3fba15n%40googlegroups.com <https://groups.google.com/d/msgid/splice-smart-learning-content-protocol/cbd25dfe-0674-47b0-899b-2f23ca3fba15n%40googlegroups.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout <https://groups.google.com/d/optout>.
--
Cay S. Horstmann | https://horstmann.com
sha...@vt.edu
Dec 6, 2025, 11:49:06 AM (15 hours ago) Dec 6
to SPLICE Smart Learning Content Protocol
Sorry to have dropped this for so long! I have had some more discussions about this recently.
Yes, I think you are right that the issue is a 3rd-party server. Perhaps oversimplifying, but we can categorize items into two groups:
* Those that either resolve any scoring or similar decisions in the browser, and only need to report back the result to the containing page.
* Those that rely on a server to resolve such decisions. That might involve expending resources. For example, executing a program on the server side that the user/student wrote in a programming exercise, or a server's assessment of the student solution through an LLM call.
So the question is: How does the assessing server make sure that the requestor (the student) is authorized to use those resources? That might be because the request comes through an authorized intermediary (for example, the request is coming through Canvas from a course or institution that is authorized to use the resource).
-- Cliff
-- Cliff
Reply all
Reply to author
Forward
0 new messages