From d2271683a196eee0b8414d3acb8293099309019b Mon Sep 17 00:00:00 2001 From: Bryan Wilson Date: Mon, 15 Jan 2024 20:32:10 -0700 Subject: [PATCH 1/4] edx-jwt cookies don't expire, make session cookies --- openedx/core/djangoapps/user_authn/cookies.py | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/openedx/core/djangoapps/user_authn/cookies.py b/openedx/core/djangoapps/user_authn/cookies.py index 4ae2b264332a..18e387f10b97 100644 --- a/openedx/core/djangoapps/user_authn/cookies.py +++ b/openedx/core/djangoapps/user_authn/cookies.py @@ -257,8 +257,14 @@ def _create_and_set_jwt_cookies(response, request, cookie_settings, user=None): if settings.FEATURES.get('DISABLE_SET_JWT_COOKIES_FOR_TESTS', False): return - expires_in = settings.JWT_AUTH['JWT_IN_COOKIE_EXPIRATION'] - _set_expires_in_cookie_settings(cookie_settings, expires_in) + # going to set these as session cookies per PSU request. + # The Magnento code checks for edx-jwt-cookie-header-payload to determine if a learner + # is logged into the LMS. If none found, a new login_session API call is made + # Kate wants these cookies to be invalidated at browser close, in part because + # users are sharing computers. + + # expires_in = settings.JWT_AUTH['JWT_IN_COOKIE_EXPIRATION'] + # _set_expires_in_cookie_settings(cookie_settings, expires_in) jwt = _create_jwt(request, user, expires_in) jwt_header_and_payload, jwt_signature = _parse_jwt(jwt) From 624439d0b4c2482155f2d8e714b7956c7b6b7a4a Mon Sep 17 00:00:00 2001 From: Bryan Wilson Date: Tue, 16 Jan 2024 11:18:56 -0700 Subject: [PATCH 2/4] Still need to set expires_in for JWT inside cookie --- openedx/core/djangoapps/user_authn/cookies.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openedx/core/djangoapps/user_authn/cookies.py b/openedx/core/djangoapps/user_authn/cookies.py index 18e387f10b97..8019e3419f76 100644 --- a/openedx/core/djangoapps/user_authn/cookies.py +++ b/openedx/core/djangoapps/user_authn/cookies.py @@ -263,7 +263,7 @@ def _create_and_set_jwt_cookies(response, request, cookie_settings, user=None): # Kate wants these cookies to be invalidated at browser close, in part because # users are sharing computers. - # expires_in = settings.JWT_AUTH['JWT_IN_COOKIE_EXPIRATION'] + expires_in = settings.JWT_AUTH['JWT_IN_COOKIE_EXPIRATION'] # _set_expires_in_cookie_settings(cookie_settings, expires_in) jwt = _create_jwt(request, user, expires_in) From 588a38a5227e4de03be01c1bf9a9c0f400808b4b Mon Sep 17 00:00:00 2001 From: Bryan Wilson Date: Tue, 16 Jan 2024 13:24:31 -0700 Subject: [PATCH 3/4] delete expires from cookie_settings for JWT cookies --- openedx/core/djangoapps/user_authn/cookies.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/openedx/core/djangoapps/user_authn/cookies.py b/openedx/core/djangoapps/user_authn/cookies.py index 8019e3419f76..beb473ec4fd8 100644 --- a/openedx/core/djangoapps/user_authn/cookies.py +++ b/openedx/core/djangoapps/user_authn/cookies.py @@ -269,6 +269,9 @@ def _create_and_set_jwt_cookies(response, request, cookie_settings, user=None): jwt = _create_jwt(request, user, expires_in) jwt_header_and_payload, jwt_signature = _parse_jwt(jwt) + # set a JWT cookie as session cookie + del cookie_settings['expires'] + _set_jwt_cookies( response, cookie_settings, From 7dfe8895f543014e3a3b90dc370bab292f324218 Mon Sep 17 00:00:00 2001 From: Bryan Wilson Date: Tue, 16 Jan 2024 13:29:54 -0700 Subject: [PATCH 4/4] delete cookie_Settings['max_age'] for jwt cookies --- openedx/core/djangoapps/user_authn/cookies.py | 1 + 1 file changed, 1 insertion(+) diff --git a/openedx/core/djangoapps/user_authn/cookies.py b/openedx/core/djangoapps/user_authn/cookies.py index beb473ec4fd8..98d478c8a315 100644 --- a/openedx/core/djangoapps/user_authn/cookies.py +++ b/openedx/core/djangoapps/user_authn/cookies.py @@ -271,6 +271,7 @@ def _create_and_set_jwt_cookies(response, request, cookie_settings, user=None): # set a JWT cookie as session cookie del cookie_settings['expires'] + del cookie_settings['max_age'] _set_jwt_cookies( response,