Uploaded image for project: 'Moodle app'
  1. Moodle app
  2. MOBILE-3605

In-app browser login: Should not retain cookies

XMLWordPrintable

    • Icon: Improvement Improvement
    • Resolution: Unresolved
    • Icon: Minor Minor
    • None
    • 3.9.4
    • Log in screen
    • Hide
      1. You need a Moodle installation that is set to allow the mobile app, and that supports default Moodle manual authentication for login.
      2. Apply the attached login-cookies.patch to your Moodle installation.
      3. Change the admin settings under 'Mobile authentication' to use the in-app browser option.
      4. Connect to your site with the app (or change site if required), and go to log in.
        • At the bottom of the login form, you should see a message about cookies, with both cookies blank (it looks like: [] [])
      5. Log in as any account.
      6. Log out or change site.
      7. Add a new site.
      8. Connect to your site again.
        • At the bottom of the login form, confirm that the message about cookies still has both cookies blank ([] []).
      9. Don't forget to remove the patch from your Moodle installation when finished testing.

      Prior to this bugfix, one cookie is still set on the second login attempt. See screenshot for an example of this.

      (Note: If you want to see what the cookies do, try the login page in a normal browser. It just sets a session and dated cookie to the username that you typed.)

      Show
      You need a Moodle installation that is set to allow the mobile app, and that supports default Moodle manual authentication for login. Apply the attached login-cookies.patch to your Moodle installation. Change the admin settings under 'Mobile authentication' to use the in-app browser option. Connect to your site with the app (or change site if required), and go to log in. At the bottom of the login form, you should see a message about cookies, with both cookies blank (it looks like: [] []) Log in as any account. Log out or change site. Add a new site. Connect to your site again. At the bottom of the login form, confirm that the message about cookies still has both cookies blank ([] []). Don't forget to remove the patch from your Moodle installation when finished testing. Prior to this bugfix, one cookie is still set on the second login attempt. See screenshot for an example of this. (Note: If you want to see what the cookies do, try the login page in a normal browser. It just sets a session and dated cookie to the username that you typed.)
    • MOODLE_39_STABLE

      A new commercial login system that we will be deploying in future uses dated (not session) cookies for its login persistence.

      This causes a problem with the log out feature in the mobile app when using the in-app browser feature. If you log in, log out, and then log in again (intending to change to a different user account), instead of showing you the prompt to log in, it immediately logs you straight back in as the first account because the cookie is still there from the first login. So from the user's point of view, it did not fully log out.

      The in-app browser should not retain either kind of cookie, so that if you log out and then log in again, you will always be prompted for login. Currently, it clears session cookies, but keeps permanent cookies.

      To easily reproduce this problem, apply the attached login-cookies.patch to your Moodle installation. This causes the login page to set 2 cookies when you log in (one session cookie and one cookie that expires in 24 hours). The login page also displays the current value of the same cookies if they are set.

        1. login-cookies.patch
          0.9 kB
        2. Screenshot_20201125-171645.png
          Screenshot_20201125-171645.png
          92 kB

            quen Sam Marshall
            quen Sam Marshall
            Dani Palou Dani Palou
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.