Sharebar?

SameSite Cookie Issues for LTI Tool Providers

1EdTech members can also view this information with updated LTI Developer FAQs in the 1EdTech Member Support Portal (login required).

Overview

In February 2020, Google will release version 80 of its Chrome browser. A change to the default cookie behavior will potentially cause LTI Tools that rely on cookies to have problems embedding inside Tool Platforms. Other browsers are likely to implement these default changes in the future.

See Google Chrome's official announcement for more details.

 

 

 

The Solution

Not all browsers treat the SameSite=None setting in the same way, so you may need to tailor your solution to handle both cases.

For browsers that support SameSite None

Update your cookies to have SameSite=None and Secure settings.

For browsers that don't support SameSite None yet

There are some browsers and web clients that don't support the new SameSite=None cookie flag and won't save the cookie if that flag is set. For those browsers, you will need to do some extra work to make sure your cookies are working everywhere you need them to.

These sites have a lot of detail to understand how to handle these other browsers:

 

Additional Resources

 

Frequently Asked Questions

How can I tell if I'll be affected

You can enable the feature on current versions of chrome if you go to chrome://flags and turn on SameSite by default cookies and Cookies without SameSite must be secure which is a great way to test your LTI tools now.

This site can also be a useful tool to help understand how your browser interacts with these cookie settings:

What changes do LTI Platforms need to make?

Platforms can't make any changes that help mitigate the potential problems for tools. However, Platform companies are likely to receive support requests for tools that stop working and should be prepared to diagnose the problem quickly and have communications ready to send to any Tools who haven't adjusted their cookie handling.

If an LTI tool isn't able to adjust its cookie handling quickly enough and there are disruptions in needed tools, most Platforms have the ability to set an LTI link to launch in a new window which will allow the tool to be used, even if it degrades the experience a little bit.

As an LMS admin at an institution or district do I need to update anything?

There should be no need for LMS admins to make any changes in their LMS. But if your institution has developed an LTI tool or maintains an LTI tool your development team may need to make some changes.

It is also recommended that you test any of your more critical LTI tools now so that they can fix it before it starts affecting students.

If you find yourself waiting on tool vendors to update for this problem, you may consider configuring those tools to launch in a new window so that they can continue to be used.

 

 

 

 

 

 

 

 

 

 

This page contains trademarks of the 1EdTech Consortium, including the 1EdTech logos, TrustEd Apps™, Learning Tools Interoperability (LTI)®, LTI™,OneRoster®, Caliper Analytics®, Common Cartridge®, Competencies and Academic Standards Exchange® (CASE®), Question and Test Interoperability® (QTI®), Accessible Portable Item Protocol® (APIP®), AccessForAll®, BadgeConnect®, and SensorAPI™.

For information on the 1EdTech trademark usage policy, see our trademark policy page.

Connect on LinkedInFollow Us on TwitterView 1EdTech on YouTube

© 2001-2023 1EdTech Consortium Inc. All Rights Reserved. Privacy Policy