openwebwork-devel

Re: [WWdevel] Webwork Security Features

[Sam H. <sh...@ma...>]

on 06/19/2007 10:00 PM jf...@pu... said the following:

> My name is Justin Floro and I am a graduate student at Purdue University.  The 
> mechanical engineering department at Purdue is considering using the Webwork 
> system in an engineering thermodynamics class.  Some of the faculty have 
> questions regarding the security features of webwork. I have searched the 
> webwork website for information pertaining to the security features of 
> webwork, but I have not been able to locate much information about them.  
> Could you please provide me with documentation on security, or tell me where I 
> may go to find it?

Hi Justin,

The WeBWorK security model is pretty standard -- one logs in with a user
name and password, and a session key is generated that is used to
authenticate subsequent requests. The session key expires after a
configurable period of inactivity.

WeBWorK also has a permissions system -- each user has a numeric
"permission level". Each WeBWorK action is assigned a minimum required
permission level, and a user must meet that minimum to perform that
action. All this is configured in the main configuration file --
global.conf. You can peruse the latest version of the file here:
<http://cvs.webwork.rochester.edu/viewcvs.cgi/webwork2/conf/global.conf.dist?rev=HEAD&content-type=text/vnd.viewcvs-markup>

Thanks for writing -- I'm glad Purdue is considering WeBWorK. Let me
know if you have other questions, or need assistance in getting things
working.
-sam

Re: [WWdevel] Webwork Security Features

[Sam H. <sh...@ma...>]

on 06/27/2007 05:12 PM jf...@pu... said the following:
> Sam,
> 
> Hello, it's Justin Floro from Purdue again.  If you have a few moments I have 
> some more questions about Webwork's security key.
> 
> Is the session key generated unique to each Webwork session, or is it a key 
> that is generated for a specific student login?

It is unique for each session. If a client attempts to use an expired
key, the key is deleted and the user is prompted for a password. Upon
authenticating, a new key is created. The details are in
lib/WeBWorK/Authen.pm and its subclasses.

> How large is the session key that is generated?

>From conf/global.conf:

# $sessionKeyLength defines the length (in characters) of the session key
$sessionKeyLength = 32;

# @sessionKeyChars lists the legal session key characters
@sessionKeyChars = ('A'..'Z', 'a'..'z', '0'..'9');

> How is the session key generated?

$sessionKeyLength random characters are selected from @sessionKeyChars.

> Thanks again for your help.

No problem.
-sam