Authentication issues with 3rd party cookies
Until early December 2012, having cookies enabled was sufficient to authenticate on to NetSpace (cisco.netacad.com). From January 2013, it is not possible, and 3rd party cookies need to be enabled as well. From a security point this is not really a good idea. What has changed?
Willem van Jaarsveld
shared this idea
Hi Willem,
For security and reporting purposes, assessments and content in NetSpace are delivered from a separate delivery system. The delivery system uses cookies for required session information. We use the Learning Tool Interoperability (LTI) standard for communicating between the systems. The LTI tool access pattern exists as a relationship between two separate domains, that of the consumer and that of the producer. The content and assessment delivery system, as the producer, exists on a different domain than learning management system where consumers access the content. Because the delivery system is being invoked from a different domain than consumer LMS, standard browser security models require the enabling of third party cookies to pass the correct cookies to the delivery system.
This has always been the case, however, browser security models may have changed, cache and preferences may have been cleared, and depending on the browser, one might have been able to ‘always trust this domain’ for cookies. There were no updates made to the system in January related to cookie management that would have changed this requirement. It is possible to have browser configured to never allow 3rd party cookies unless explicitly white-listed.
Thank you,
Kimberly
-
Brian Kappel commented
I am going to date myself but I remember in the wild days when we actually voted on if browsers should be allowed on the web that used cookies. Long long time ago.