Installation

Moodle-WeBWorK integration: Moodle created user can login directly to WeBWorK

Moodle-WeBWorK integration: Moodle created user can login directly to WeBWorK

by Jacek Polewczak -
Number of replies: 6
Hi All,

I am using Moodle (2.8.5+ Build: 20150414) with webwork assignment activity module wwassignment6_ver2.8+ and wwlink6_ver2.8+

I have noticed that Moodle created users can ALSO access directly WeBWorK, i.e., without going via Moodle interface. Well, such a user gets WeBWorK Warnings:

Use of uninitialized value $possibleCryptPassword in string eq at /opt/webwork/webwork2/lib/WeBWorK/Authen.pm line 628.

However, if one disregards this message, such a user can access and do homeworks. Is it normal?

Can such direct logins be prevented for Moodle created users?

Thanks,
Jacek
In reply to Jacek Polewczak

Re: Moodle-WeBWorK integration: Moodle created user can login directly to WeBWorK

by Michael Gage -
I haven't checked the latest version for this but what is supposed to happen
is that the student is given a login to webwork with the same user name 
as in moodle and with a randomly generated password which moodle memorizes.  So unless the student guesses the password they will not be able to login to webwork.

If the student (or more likely the instructor) already has an account on webwork (with the same user name as in moodle) then moodle does not create a new account and does not create a new password. Such a user can login directly to webwork. 

This is what is supposed to happen (and did happen in earlier versions).  I haven't yet done extensive testing of the most recent version or possible exploits so if you find one that doesn't conform to the description above please send me details of how it is done.  (gage@math.rochester.edu)
In reply to Michael Gage

Re: Moodle-WeBWorK integration: Moodle created user can login directly to WeBWorK

by Michael Gage -
This explanation is not quite correct.  Moodle sets the password to NULL (so that logging in with a password is never possible) and forces the setting of a session_key. (A session_key is essentially a temporary password -- it is passed back and forth in a hidden variable every time a request is made of the server. It expires after a certain amount of time of inactivity.)

Some "new" (since around 2012) behavior of webwork is that a session_cookie is also set on the users machine containing the session_key information so one can log back in to webwork as long as this session_cookie is available, even though the html pages with the hidden variable version of the session_key are no longer around. 

This is what makes it possible to log directly into webwork (if you have recently logged in via moodle) even though you no longer have moodle in your browser. 
In reply to Jacek Polewczak

Re: Moodle-WeBWorK integration: Moodle created user can login directly to WeBWorK

by Michael Gage -
Some investigation shows that what is happening is that a session_cookie has been set on the student's computer when the student is transferred to WeBWorK.  The student will be able to login to webwork as long as this session_cookie is still around and has not expired. (not sure what the expiration time is -- perhaps 20 minutes?) 

One could consider this a feature and in fact we are considering leaving the behavior as is unless we hear reasons to remove this as a default. 

You can disable this feature by setting the "session_management_via" configuration item to "key" in localOverrides.conf.

(There is a bug in our .dist  distribution version of the configuration files -- the defaults.config actually sets "session_cookies" to be the default -- so that cookies are always set -- localOverrides.conf.dist hints that "key" is the default and that hint is NOT correct. )

At the very least we'll change the configuration files to remove this confusion but tentatively we'll leave it so that session_cookies are always set and that students can reconnect with a webwork session automagically as long as these cookies are still around no matter how they logged in originally.

Comments?

In reply to Michael Gage

Re: Moodle-WeBWorK integration: Moodle created user can login directly to WeBWorK

by Jacek Polewczak -
I have now

$session_management_via = "key";

in localOverrides.conf.

Restarted apache and also eliminated cookies from browser and still Moodle created user can connect directly to WeBWork. As before, there is a warning message:

Warning messages

  • Use of uninitialized value $possibleCryptPassword in string eq at /opt/webwork/webwork2/lib/WeBWorK/Authen.pm line 628.

In reply to Jacek Polewczak

Re: Moodle-WeBWorK integration: Moodle created user can login directly to WeBWorK

by Michael Gage -
Hmm. Did you delete the student from the webwork course before  retrying this?

Once there is a username in the webwork course matching the username in moodle then moodle simply uses that user.  It doesn't reset a password.
(This is why professors who normally create a userID in webwork before 
connecting to moodle can still log in to webwork directly.)  So if the student has
a userID in webwork and a password the moodle connection will not modify either.

One other test -- even without setting $session_management_via = "key" -- 

if you log in directly to webwork as a student and then explicitly "logout" from webwork my experience is that you will not be able to get back in to webwork again.  

If you go back to moodle, enter webwork from moodle and then try to login directly to webwork you will be able to succeed again. 

Let me know the results of the experiment.  It's possible there is even more going on.

Take care,

Mike

In reply to Michael Gage

Re: Moodle-WeBWorK integration: Moodle created user can login directly to WeBWorK

by Jacek Polewczak -
Hmm. Did you delete the student from the webwork course before retrying this?

yes, I did.


If you go back to moodle, enter webwork from moodle and then try to login directly to webwork you will be able to succeed again.

Yes, that's the case and it is OK. However I am talking here about the situation when a moodle created student can login directly to WeBWorK , after the next two hours or next day, etc, even when he/she didn't login to Moodle at all. For this experiment I used different browsers and/or different physical computer systems. This happens even if each time I remove ALL cookies and clear entire history.

Furthermore, I observe the same behaviour regardless of these entries

$session_management_via = "key"

$session_management_via = "session_cookie"

in localOverrides.conf. I tried various combinations here, no change in behaviour:

moodle created student can login directly to WeBWorK anytime

By the way, defaults.config contains this entry: $session_management_via = "key";

Mike, please try it. Use the credentials I sent you in the email for a student.

And here is the entire

WeBWorK Warnings

WeBWorK has encountered warnings while processing your request. If this occured when viewing a problem, it was likely caused by an error or ambiguity in that problem. Otherwise, it may indicate a problem with the WeBWorK system itself. If you are a student, report these warnings to your professor to have them corrected. If you are a professor, please consult the warning output below for more information.

Warning messages

Use of uninitialized value $possibleCryptPassword in string eq at /opt/webwork/webwork2/lib/WeBWorK/Authen.pm line 628.

Request information

Time Sun May 03 20:50:23 2015
Method POST
URI /webwork2/test1_webwork/