Chrome 80’s change to cookie policy will break lots of LTI tools – but not Tsugi tools

This is the latest news from IMS about the changes to Chrome that will likely cause a lot of LTI providers to break.

The good news is that Tsugi tools do not use cookies *at all* to maintain their session.  This design choice makes it more difficult to develop Tsugi apps but has several advantages:
  • Tsugi apps can function within multiple iframes simultaneously on the same page
  • Tsugi apps can be logged on different accounts across multiple tabs
  • Tsugi apps should be unaffected as Chrome and the rest of the browser market tightens down the use of cookies
This works for both PHP and Python / Python Tsugi tools.
It was not easy – I when PHP 7.0 came out – they broke the feature so I filed and got fixed some arcane PHP bugs. In the Django world there was a cookiless session module that was 1.x only so I helped get that upgraded and am contributing improvements to the product so that the cookieless code in Django is actually superior to the PHP code for cookiless sessions.
The mistake that 99% of the LTI developers make is that they assume LTI a Single-Sign-On – which is absolutely not true – leading to some really poorly designed cookie-based LTI integrations  that Chrome is about to punish.
This is why using a framework for LTI applications is so important.