Can published IVLE web apps identify when they are being accessed by a user logged in to IVLE?

Asked by Marco Lui on 2012-04-12

Is there any way to identify if a published IVLE web app is being served to a user logged in to IVLE, and if so, is it possible to obtain the username? Thanks!

Question information

Language:
English Edit question
Status:
Answered
For:
IVLE Edit question
Assignee:
No assignee Edit question
Last query:
2012-04-12
Last reply:
2012-04-12
William Grant (wgrant) said : #1

It's not possible, no. IVLE scripts have full access to their CGI environment, and can run JavaScript, so could easily grab the user's cookie and impersonate them. Even if we were to alter IVLE to use the HttpOnly cookie flag (which wasn't widely supported when we made this design decision) and filter auth cookies from the HTTP_COOKIE CGI variable, student webapps could still make AJAX requests to other student webapps to impersonate other users.

A secure implementation should be possible in modern browsers with the use of one domain per student (probably a wildcard of *.students.informatics.unimelb.edu.au) combined with HttpOnly cookies and the above HTTP_COOKIE filtering, but it's not currently supported by IVLE.

Can you help with this problem?

Provide an answer of your own, or ask Marco Lui for more information if necessary.

To post a message you must log in.