1. Use request.session instead of request.user, since request.user
won't necessarily be properly set.
2. Be extra paranoid by putting logging after session cookie deletion,
so that even if there is some error related to logging, the important
work will complete and the browser won't get left in a broken state.
3. Write out the full contents of the Cookie header (up to 4096 bytes)
in the log as a base64 encoded string. This way we can look at broken
cookie states and diagnose what's breaking them (the Python parser will
just silently skip anything past a corrupted cookie entry). We base64
encode mostly to prevent people from maliciously injecting garbage into
our logs.
This adds middleware that will create custom parameter metrics in
New Relic to track the size of all the cookies being received for
our domain. The custom fields are "cookies_total_size" and a
separate named parameter for every cookie size, e.g.
"cookies.csrftoken.size".
This is intended to help us track cookie growth and better diagnose
issues where users lose their sessions. It is toggled by the
'request_utils.capture_cookie_sizes' Waffle Flag.
Currently, the LMS logout endpoint should iframe in the logout pages of
all the IDAs you were logged into. In short, this was made possible with
DOP because keeping track of the logout URIs and leaving a trail of
evidence in the user cookies was part of what we added in our fork of
DOP. In the case of DOT, we don't have time or desire to fork DOT to
mirror this behavior, so our stop-gap solution is to log out the user
from a list of logout URIs in settings.
This PR is based on #19284 and is part of the
series of work related to the proposal #18134.
This PR avoids the assignment of
anonymous/unenrolled users to any cohort when
course is public. Anonymous or unenrolled users
will only see content that does not have a
content group assigned.
The "View Course" link to the course outline
is shown on the course about page for a course
marked public/public outline.
It also makes course handouts available for
public courses (not for public_outline).
This PR also hides the different warnings and
messages asking the user to sign-in and enroll
in the course, when the course is marked public.
It modifies the default public_view text to
include the component display_name when
unenrolled access is not available.
The following changes are made to add LMS user_id:
* Adds user_id scope to the JWT to provide the LMS user_id.
* JWT cookies always use the user_id claim.
ARCH-379
