-
Notifications
You must be signed in to change notification settings - Fork 257
Sessions
Session Management Within Tsugi
Since the Tsugi environment is designed to support tools that are to be integrated into Learning Management Systems using IMS Learning Tools Interoperability, it is important that Tsugi tools work well within HTML iframes.
Increasingly, browsers are refusing to allow pages displayed in an iframe from a web site other than the web site that served the initial page to set browser cookies. The browsers are making this change to make it more difficult for web sites to surreptitiously add tracking cookies or perform other tracking activity. Unfortunately for learning tools it is very common for a learning tool like Piazza to come from a different domain (piazza.com) than the learning management system (ctools.umich.edu).
So Tsugi goes to some length to avoid browser cookies for session tracking. This means that every form, anchor tag, and AJAX request needs to have the PHPSESSID appended to it so that the session is properly reconnected as the user moves from page to page in the application.
PHP has a very nice feature to handle nearly all the work of adding the PHPSESSID. When these settings are set in the setup.php code:
ini_set('session.use_cookies', '0');
ini_set('session.use_only_cookies',0);
ini_set('session.use_trans_sid',1);
PHP looks at the output of your scripts and filters output as follows:
<a href="configure.php">Configure</a>
<form method="post">
<textarea
Is automatically augmented by PHP as follows:
<a href="configure.php?PHPSESSID=b6cdc5f454bb1b8bc21c936f0c40e6a8">Configure</a>
<form method="post"><input type="hidden" name="PHPSESSID" value="b6cdc5f454bb1b8bc21c936f0c40e6a8" />
<textarea
Because of this you can simply output anchor and form tags as if cookie-based sessions were being used. But the PHP filter is not clever enough to know when a URL is being used in JavaScript as in the following examples:
<input type=submit name=“doCancel” value=“Cancel”
onclick="location='index.php'; return false;">
$.getJSON('chatlist.php', function(data) {
window.console && console.log(data);
$("#messages").empty();
…
These locations need to be mapped as well. The PHPSESSID needs to be added to JavaScript URLs in our PHP code to produce output as follows:
<input type=submit name=“doCancel” value=“Cancel”
onclick="location='index.php?PHPSESSID=b6cdc5f454bb1b8bc21c936f0c40e6a8'; return false;">
$.getJSON('chatlist.php?PHPSESSID=a8f2b228d783642848da94699ce85c03', function(data) {
window.console && console.log(data);
$("#messages").empty();
…
Because this is a common problem, Tsugi provides a special PHP function called sessionize() which comes from setup.php that can be used to automatically add the PHPSESSID as needed depending on whether or not a cookie is being used to maintain session and the format of the URL. Here is how you would call sessionize() in the above examples:
<input type=submit name=“doCancel” value=“Cancel”
onclick="location=‘<?php echo(sessionize(‘index.php’)); ?>'; return false;">
$.getJSON('<?php echo(sessionize(‘chatlist.php’)); ?>', function(data) {
window.console && console.log(data);
$("#messages").empty();
…
You can look at the code in setup.php for more details.