Merge pull request #2731 from drgrice1/session-tangling-fix

Reset the cookie session before Mojolicious saves it.

Author: Alex-Jordan

lib/WeBWorK/Authen.pm

@@ -844,6 +844,10 @@ sub store_session {
 		}
 	}
 
+	# The session parameters need to be set again, because another request may have occured during this
+	# request in which case the session parameters for the app will now be set for that request.
+	$self->{c}->setSessionParams;
+
 	return;
 }
 

lib/WeBWorK/Controller.pm

@@ -45,6 +45,24 @@ sub param ($c, @opts) {
 	return wantarray ? @{ $c->{paramcache}{$name} } : $c->{paramcache}{$name}[0];
 }
 
+sub setSessionParams ($c) {
+	$c->app->sessions->cookie_name(
+		$c->stash('courseID') ? 'WeBWorKCourseSession.' . $c->stash('courseID') : 'WeBWorKGeneralSession');
+
+	# If the hostname is 'localhost' or '127.0.0.1', then the cookie domain must be omitted.
+	my $hostname = $c->req->url->to_abs->host;
+	$c->app->sessions->cookie_domain($hostname) if $hostname ne 'localhost' && $hostname ne '127.0.0.1';
+
+	$c->app->sessions->cookie_path($c->ce->{webworkURLRoot});
+	$c->app->sessions->secure($c->ce->{CookieSecure});
+
+	# If this is a session for LTI content selection, then always use SameSite None. Otherwise cookies will not be
+	# sent since this is in an iframe embedded in the LMS.
+	$c->app->sessions->samesite($c->stash->{isContentSelection} ? 'None' : $c->ce->{CookieSameSite});
+
+	return;
+}
+
 # Override the Mojolicious::Controller session method to set the cookie parameters
 # from the course environment the first time it is called.
 sub session ($c, @args) {
@@ -53,20 +71,7 @@ sub session ($c, @args) {
 	# Initialize the cookie session the first time this is called.
 	unless ($c->stash->{'webwork2.cookie_session_initialized'}) {
 		$c->stash->{'webwork2.cookie_session_initialized'} = 1;
-
-		$c->app->sessions->cookie_name(
-			$c->stash('courseID') ? 'WeBWorKCourseSession.' . $c->stash('courseID') : 'WeBWorKGeneralSession');
-
-		# If the hostname is 'localhost' or '127.0.0.1', then the cookie domain must be omitted.
-		my $hostname = $c->req->url->to_abs->host;
-		$c->app->sessions->cookie_domain($hostname) if $hostname ne 'localhost' && $hostname ne '127.0.0.1';
-
-		$c->app->sessions->cookie_path($c->ce->{webworkURLRoot});
-		$c->app->sessions->secure($c->ce->{CookieSecure});
-
-		# If this is a session for LTI content selection, then always use SameSite None. Otherwise cookies will not be
-		# sent since this is in an iframe embedded in the LMS.
-		$c->app->sessions->samesite($c->stash->{isContentSelection} ? 'None' : $c->ce->{CookieSameSite});
+		$c->setSessionParams;
 	}
 
 	return $c->SUPER::session(@args);