Integrations Documentation

LTI Cookie Problem - Windows postMessage Solution

The cookie problem

In recent years, modern browsers have indicated they would like to deprecate the use of third-party cookies. Cookies are critical for session management in modern applications, which causes a problem for LTI tools that rely on cookies to identify users as they navigate from their learning management system (LMS) to their external learning tool. Currently, none of the three major browsers have agreed on a cohesive solution. Safari is the first to remove support for third-party cookies. Chrome planned on removing cookies but has recently delayed their plans.

Cookies are used as part of the standard OIDC initiation process for launching LTI 1.3 external learning tools within an iframe in an LMS. As a result, a solution is needed to allow LTI tools to continue working without relying on cookies.

The cookie solution

1EdTech released three public draft proposal standards to solve this problem. These standards describe the recommended process for storing information in Windows postMessage instead of cookies. These standards have been supported by several major platforms and tool partners with generally positive feedback. The following resources describe how to create this solution using Windows postMessage:

LTI OIDC Login with LTI Client Side postMessages | IMS Global Learning Consortium

LTI Client Side postMessages | IMS Global Learning Consortium

LTI postMessage Storage | IMS Global Learning Consortium

Brightspace's status

Brightspace has supported these standards since July 2022, enabling external learning tools who also support these standards to continue launching in an iframe in Brightspace without using cookies.

Recommendation for all LTI tools

All LTI external learning tools that want to continue launching within an iframe in Brightspace in browsers without cookies will need to support these standards so they can store any needed information in Windows postMessage instead of cookies.

Tool content should not need to be remade or modified after the tool supports these standards nor should they have any other affect on tool functionality. However, there may be exceptions for some tools. All existing tool content will benefit from these standards after implementation.

What if the LTI tool does not support these standards?

If the LTI tool does not support these standards and is having problems launching, then opening the tool in a new window is the recommended path forward. There are several ways to open a tool in a new window:

New Content Experience: Edit the activity. Then open Display Options and select Open in a new tab. This is the recommended approach.
Classic Content Experience: Edit the properties in place and select Open as External Resource.
Page: Edit the HTML. Then add or edit the HTML link and select Open in New Window.
Widget: Widget links cannot be opened in a new window by default.
Navbar: Edit the navbar. Open the content in a new window or tab.
Valence APIs are available to control functionality where users open content in a new window.
Deployment level: The Open as External Resource configuration setting is available at the tool deployment level. Note that this setting only applies to new links created after the setting is enabled.

Deep Linking

Deep Linking links can only be opened in an iframe in Brightspace, which is consistent behavior with other major LMSs. For external learning tools to continue using Deep Linking links without cookies, it is recommended to use these new standards to maintain continuity in behavior across all browsers.

LTI 1.1 and 1.3

This cookie problem predominantly affects LTI 1.3 tools due to the launch process used in LTI 1.3; and the Windows postMessage solution only resolves the cookie problem for LTI 1.3 integrations.

LTI 1.1 tools do not require cookies for the launch process, but LTI 1.1 tools may still need cookies for other functionality. If this is the case, the LTI 1.1 tool will need to provide their own solution to continue working without cookies.

The current status of these standards

These standards were released as a public draft with the intent to make this solution available as soon as possible to the general public. This is not standard procedure for 1EdTech LTI standards. These standards are currently in review and may change as they are supported by additional tool partners. The 1EdTech work group is actively reviewing these standards and plans to release these standards in their final version by the end of 2024.