IVLE

Can published IVLE web apps identify when they are being accessed by a user logged in to IVLE?

Asked by Marco Lui on 2012-04-12

Is there any way to identify if a published IVLE web app is being served to a user logged in to IVLE, and if so, is it possible to obtain the username? Thanks!

Question information

Language:: English Edit question

Status:: Answered

For:: IVLE Edit question

Assignee:: No assignee Edit question

Last query:: 2012-04-12

Last reply:: 2012-04-12

Link existing bug

Revision history for this message

William Grant (wgrant) said on 2012-04-12:

It's not possible, no. IVLE scripts have full access to their CGI environment, and can run JavaScript, so could easily grab the user's cookie and impersonate them. Even if we were to alter IVLE to use the HttpOnly cookie flag (which wasn't widely supported when we made this design decision) and filter auth cookies from the HTTP_COOKIE CGI variable, student webapps could still make AJAX requests to other student webapps to impersonate other users.

A secure implementation should be possible in modern browsers with the use of one domain per student (probably a wildcard of *.students.informatics.unimelb.edu.au) combined with HttpOnly cookies and the above HTTP_COOKIE filtering, but it's not currently supported by IVLE.

Can you help with this problem?

Provide an answer of your own, or ask Marco Lui for more information if necessary.

To post a message you must log in.

Ask a question

Edit question

IVLE

Can published IVLE web apps identify when they are being accessed by a user logged in to IVLE?

Question information

Related bugs

Related FAQ:

Can you help with this problem?

Subscribers