Can published IVLE web apps identify when they are being accessed by a user logged in to IVLE?

Asked by Marco Lui

Is there any way to identify if a published IVLE web app is being served to a user logged in to IVLE, and if so, is it possible to obtain the username? Thanks!

Question information

English Edit question
IVLE Edit question
No assignee Edit question
Last query:
Last reply:
Revision history for this message
William Grant (wgrant) said :

It's not possible, no. IVLE scripts have full access to their CGI environment, and can run JavaScript, so could easily grab the user's cookie and impersonate them. Even if we were to alter IVLE to use the HttpOnly cookie flag (which wasn't widely supported when we made this design decision) and filter auth cookies from the HTTP_COOKIE CGI variable, student webapps could still make AJAX requests to other student webapps to impersonate other users.

A secure implementation should be possible in modern browsers with the use of one domain per student (probably a wildcard of * combined with HttpOnly cookies and the above HTTP_COOKIE filtering, but it's not currently supported by IVLE.

Can you help with this problem?

Provide an answer of your own, or ask Marco Lui for more information if necessary.

To post a message you must log in.