Step 4: Establish a user session

In order to have reached this step we have determined that the request received was valid and contained all the data we needed.  It is now time to act on this request.  The process adopted here is very much application specific and will have similarities to any code which may already be in use for handling other login pages.  But for an LTI launch request, it may contain more than just a login process; for example:

  1. Cancel any existing session for this tool provider which may be currently defined in the user's browser.
  2. Check if the user ID is already known:
    • if not, provision a new account for them;
    • if so, update any of the details which have changed (e.g. name).
  3. Check if the resource link ID is already known:
    • if not, provision any working space which may be required for new links;
    • if so, update any of the details which have changed (e.g. title).
  4. Initialize a login session for the user, capturing any data from the launch which may be required later, such as:
    • user ID;
    • role;
    • resource ID;
    • return URL.

The user session established as part of this process will often be given an ID which is passed with each request from the user's browser via a cookie or a query parameter; this is an implementation issue and is not constrained by the LTI specification.  The main objective is to allow the tool provider to know who the user is whenever an HTTP request is received from the user's browser without needing to authenticate them again and verify their authorization to access the resource(s) being requested.

Sample PHP Code

This code is for illustrative purposes only, since the precise requirements will be application specific.  In this case it is assumed that a user's name is not permanently held by the tool provider and so is added to the session for later use.  A flag is also set to identify whether a user is an instructor or a learner and, in the latter case, sufficient data is retained to allow an outcome to be returned if this has been provided by the tool consumer.

The $roles variable comes from the sample code provided for Step 3.

  // Cancel any existing session
  $_SESSION = array();

  // Initialise the user session
  $_SESSION['userId'] = $_POST['user_id'];
  $_SESSION['isInstructor'] = in_array('urn:lti:role:ims/lis/Instructor', $roles);
  $_SESSION['firstname'] = $_POST['lis_person_name_given'];
  $_SESSION['lastname'] = $_POST['lis_person_name_family'];
  $_SESSION['consumerKey'] = $_POST['oauth_consumer_key'];
  $_SESSION['resourceLinkId'] = $_POST['resource_link_id'];
  if (!$_SESSION['isInstructor'] && 
      isset($_POST['lis_outcome_service_url']) && isset($_POST['lis_result_sourcedid'])) {
    $_SESSION['outcomesUrl'] = $_POST['lis_outcome_service_url'];
    $_SESSION['resultSourcedId'] = $_POST['lis_result_sourcedid'];