Merge branch 'MDL-79712-401' of https://github.com/snake/moodle into MOODLE_401_STABLE

2025-04-11 11:23:52 +02:00 · 2024-04-02 11:57:12 +08:00 · 2024-04-02 11:57:12 +08:00 · fa20b1790f
commit fa20b1790f
parent 6b0661b9ea 7d579dd4bb
2 changed files with 27 additions and 13 deletions
--- a/auth/lti/classes/local/ltiadvantage/event/event_handler.php
+++ b/auth/lti/classes/local/ltiadvantage/event/event_handler.php
@ -35,16 +35,14 @@ class event_handler {
     * @return void
     */
    public static function handle_user_loggedin(user_loggedin $event): void {
-        // The event data isn't important here. The intent of this listener is to ensure that the MoodleSession cookie gets the
-        // 'Partitioned' attribute, when required - an opt-in flag needed to use Chrome's partitioning mechanism, CHIPS. During LTI
-        // auth, the auth class (auth/lti/auth.php) calls complete_user_login(), which generates a new session cookie as part of its
-        // login process. This handler makes sure that this new cookie is intercepted and partitioned, if needed.
+        // The event data isn't important here. The intent of this listener is to ensure that the MoodleSession cookie is set up
+        // properly during LTI launches + login. This means two things:
+        // i) it's set with SameSite=None; Secure; where possible (since OIDC needs HTTPS this will almost always be possible).
+        // ii) it set with the 'Partitioned' attribute, when required.
+        // The former ensures cross-site cookies are sent for embedded launches. The latter is an opt-in flag needed to use Chrome's
+        // partitioning mechanism, CHIPS.
        if (cookie_helper::cookies_supported()) {
-            if (cookie_helper::get_cookies_supported_method() == cookie_helper::COOKIE_METHOD_EXPLICIT_PARTITIONING) {
-                global $CFG;
-                cookie_helper::add_attributes_to_cookie_response_header('MoodleSession' . $CFG->sessioncookie,
-                    ['Partitioned', 'Secure']);
-            }
+            cookie_helper::setup_session_cookie();
        }
    }
 }
--- a/auth/lti/classes/local/ltiadvantage/utility/cookie_helper.php
+++ b/auth/lti/classes/local/ltiadvantage/utility/cookie_helper.php
@ -157,10 +157,8 @@ final class cookie_helper {
                // Set a session flag storing the method used to set it, and make sure the session cookie uses this method.
                $cookiemethod = $cookie1received ? self::COOKIE_METHOD_NO_PARTITIONING : self::COOKIE_METHOD_EXPLICIT_PARTITIONING;
                $SESSION->auth_lti_cookie_method = $cookiemethod;
-                if ($cookiemethod === self::COOKIE_METHOD_EXPLICIT_PARTITIONING) {
-                    // This assumes secure is set, since that's the only way a paritioned test cookie have been set.
-                    self::add_attributes_to_cookie_response_header('MoodleSession'.$CFG->sessioncookie, ['Partitioned', 'Secure']);
-                }
+
+                self::setup_session_cookie();
            }
        }
    }
@ -210,6 +208,24 @@ final class cookie_helper {
        }
    }

+    /**
+     * Sets up the session cookie according to the method used in the cookie check, and with SameSite=None; Secure attributes.
+     *
+     * @return void
+     */
+    public static function setup_session_cookie(): void {
+        global $CFG;
+        require_once($CFG->libdir . '/sessionlib.php');
+
+        if (is_moodle_cookie_secure()) {
+            $atts = ['SameSite=None', 'Secure'];
+            if (self::get_cookies_supported_method() == self::COOKIE_METHOD_EXPLICIT_PARTITIONING) {
+                $atts[] = 'Partitioned';
+            }
+            self::add_attributes_to_cookie_response_header('MoodleSession' . $CFG->sessioncookie, $atts);
+        }
+    }
+
    /**
     * Set a test cookie, using SameSite=None; Secure; attributes if possible, and with or without partitioning opt-in.
     *