ATutor

Learning Management Tools







Pages:1 2 3 4 5 6 7 8 9 10 11 12 13 14 15


Security


  • 2008-10-06 18:54:34

    Security

    Evening,

    Background: I have enabled pretty URL and couple of public and private courses.

    Issue is that any one registed for the private couse can see the URL's for the private course in their browser and access and share the course directly by copying and pasting the URL in the browser.
    I would really appreciate if you can help resolve the issue

    Thanks.

  • 2008-10-07 03:32:20

    Re: Security

    morning,

    this is not happening here. if I type in the URL for a private course I am redirected to the login page for that course. the URL for the courses are also available in the course catalogue, unless you set them to not show there.

  • 2008-10-07 04:26:47

    Re: Security

    AFAIK, the PrettyURL feature doesn't intrude into the security mechanisms of ATutor so, in principle, it shouldn't pose any security threats.

    Once you've logged out from an account that has access to a particular private course, you should be unable to enter that course by just following a URL. At least, from another machine/browser, or the same browser after reloading it.

    Could you describe which exactly steps you take to share the course? Is that course public, protected or private?

  • 2008-10-07 08:04:47

    Re: Security

    Morning,
    Steps:
    - Imported SCORM 1.2 package (multiple modules individually)
    - Linked the course to the content section of a private course. (using direct http://{website}/aTutor/sco/8/13/1/start.html link for each module

    Notes: If i copy the link to the browser it bypasses Atutor and gives direct access to the course.
    But the link.
    BUT what you are refering to the following link :
    http://(Website}/aTutor/tools/packages/scorm-1.2/view.php?org_id=13 Which DOES TAKE to the logon module

  • 2008-10-07 11:02:10

    Re: Security

    Quick question: Can we block the URL from being seen in the course window ?

  • 2008-10-07 16:00:31

    Re: Security

    IndieRect,
    I simulated the issue in your demo server
    Content: Integrate text
    URL: http://www.atutor.ca/atutor/demo161/go.php/demo_course/content.php?cid=1510

    Your help is much apprecited. Is it a bug or am i doing things wrong ?

  • 2008-10-08 08:35:35

    Re: Security

    The demo course is public, so you can access it directly without logging in. To prevent that, make the course private.

    If you want to hide the location bar, you could add some scripting to the default header template that would hide it. I not sure if it this would reliably hide the location though. You'll need to experiment. Try searching google with "hide browser location"

  • 2008-10-08 08:54:09

    Re: Security

    Blocking displaying the URL, even if you'll manage to do that, will be browser-dependent, and an attacker with enough diligence will be able to defeat it.

    BTW, I'm not a part of the ATutor.ca, so technically it's not "my" demo server. :D
    But I'd help you anyway in my spare time. Cheers!

  • 2008-10-08 15:58:27

    Re: Security

    Greg,
    Public or Private course i can access the course bypassing Atutor by using course direct link :{website}/aTutor/sco/8/13/1/start.html generated by loading SCORM 1.2 course.
    I think this is a big issue

  • 2008-10-08 18:42:57

    Re: Security

    Still can't reproduce the problem. Here's a link to a package in the demo course, now set to private (for now). It should ask you to login.


    http://www.atutor.ca/atutor/demo161/tools/packages/scorm-1.2/learner_view.php?org_id=20

  • 2008-10-08 19:04:36

    Re: Security

    Actually, on closer investigation, I am able to reproduce the problem.

    http://www.atutor.ca/atutor/demo161/sco/1/22/1/start.html

    The module's original maintainers are no longer maintaining it. If we can fit it into our development over the next few weeks, before the next release, we'll try to find a solution. Otherwise it's noted in the bug tracker and will get fixed in due time.

    http://www.atutor.ca/atutor/mantis/view.php?id=3592

  • 2008-10-08 21:07:54

    Re: Security

    Thanks. I appreciate it