Can published IVLE web apps identify when they are being accessed by a user logged in to IVLE?
Is there any way to identify if a published IVLE web app is being served to a user logged in to IVLE, and if so, is it possible to obtain the username? Thanks!
Question information
- Language:
- English Edit question
- Status:
- Answered
- For:
- IVLE Edit question
- Assignee:
- No assignee Edit question
- Last query:
- 2012-04-12
- Last reply:
- 2012-04-12
William Grant (wgrant) said : | #1 |
It's not possible, no. IVLE scripts have full access to their CGI environment, and can run JavaScript, so could easily grab the user's cookie and impersonate them. Even if we were to alter IVLE to use the HttpOnly cookie flag (which wasn't widely supported when we made this design decision) and filter auth cookies from the HTTP_COOKIE CGI variable, student webapps could still make AJAX requests to other student webapps to impersonate other users.
A secure implementation should be possible in modern browsers with the use of one domain per student (probably a wildcard of *.students.
Can you help with this problem?
Provide an answer of your own, or ask Marco Lui for more information if necessary.