Enhancing Moodle Exam Security: Single Sign-On, SEB Integration, and Triple Login Fix

[Elrashid]

#703
#702

Hello Community,

I hope this message finds you all well. I recently reached out for advice regarding an issue we were experiencing with the Safe Exam Browser (SEB) integration within our Moodle setup, where students were required to log in three times during the process of accessing an exam. I want to extend my gratitude for the community's support and share our comprehensive approach to not only addressing the single login issue but also enhancing the overall security and integrity of our online examinations. Our strategy encompasses a meticulous configuration of SEB and a series of additional security measures aimed at creating a more streamlined and secure examination process for our students. Below, I detail the steps and rationale behind each measure, hoping it might benefit others facing similar challenges or looking to improve their online exam security.

Tutorial for Moodle Modifications

Introduction

This tutorial guides you through customizing your Moodle installation to enhance security and user experience. We'll modify the user key authentication, integrate a Secure Exam Browser (SEB) login button, and implement a redirection mechanism. These modifications ensure a smoother and more secure user authentication process and exam environment.

Prerequisites

• A working Moodle installation.
• Administrator access to the Moodle codebase and the server.
• Basic understanding of PHP and Moodle's plugin architecture.
• userkey plugin installed and configure https://moodle.org/plugins/auth_userkey

Step 1: Enhance User Key Authentication

1.1 Modify request_login_url in externallib.php

Location: wwwroot/auth/userkey/externallib.php

Objective: Ensure that only the matching user or users with specific capabilities can generate a login key.

public static function request_login_url($user) {
    global $USER;

    if (!is_enabled_auth('userkey')) {
        throw new webservice_access_exception(get_string('pluginisdisabled', 'auth_userkey'));
    }

    // Ensure the current user is logged in and has the right to generate a key.
    require_login();  
    
    if($USER->id != $user->id) {
        $context = context_system::instance();
        require_capability('auth/userkey:generatekey', $context);
    }

    $auth = get_auth_plugin('userkey');
    $loginurl = $auth->get_login_url($user);

    return array(
        'loginurl' => $loginurl,
    );
}

Explanation: This modification introduces an additional security check to ensure that the current user ($USER) matches the user object passed to request_login_url or has the auth/userkey:generatekey capability. This prevents unauthorized generation of login URLs.

Step 2: Update SEB Button Integration

2.1 Modify get_launch_seb_button in rule.php

Location: wwwroot/mod/quiz/accessrule/seb/rule.php

Objective: Customize the SEB launch button to include user key authentication, enhancing security for quiz access.

...
use auth_userkey_external; 
...
require_once($CFG->dirroot . '/auth/userkey/externallib.php');
...

private function get_launch_seb_button() : string {
    global $USER;
    
    $seblink = \quizaccess_seb\link_generator::get_link($this->quiz->cmid, false, is_https());
    $userkeyAuth = new auth_userkey_external();
    $loginurl = $userkeyAuth->request_login_url($USER)['loginurl'];
    $loginkey = explode(".php?key=", $loginurl)[1];
    $url = new moodle_url('/auth/userkey/login.php', ['key' => "{$loginkey}", 'wantsurl' =>  $seblink]);
    $seblink =  $url->out(false);
    $seblink = new moodle_url('/redirect.php', ['url' => $seblink]);
    $seblink->set_scheme('sebs');
    $seblink =  $seblink->out(true);
    $buttonlink = html_writer::start_tag('div', ['class' => 'singlebutton']);
    $buttonlink .= html_writer::link($seblink, get_string('seblinkbutton', 'quizaccess_seb'), ['class' => 'btn btn-secondary', 'title' => get_string('seblinkbutton', 'quizaccess_seb')]);
    $buttonlink .= html_writer::end_tag('div');

    return $buttonlink;
}

Explanation: This code generates a Secure Exam Browser (SEB) link that integrates user key authentication. It ensures that only authenticated users can access the exam, providing an additional layer of security.

Step 3: Implement a Redirection Mechanism

3.1 Create a New File for Redirection

Location: Create a new file at wwwroot/redirect.php

Objective: Safely redirect users to specified URLs while validating the destination.

<?php
$mydomain = 'moodle.mydomain.com';

// Get the URL from the query string
$url = isset($_GET['url']) ? $_GET['url'] : '';

// Validate the URL
if (!filter_var($url, FILTER_VALIDATE_URL)) {
    header("Location: https://$mydomain");
    exit;
}

// Ensure the domain matches the Moodle domain
$domain = parse_url($url, PHP_URL_HOST);
if ($domain != $mydomain) {
    header("Location: https://$mydomain");
    exit;
}
?>

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Login</title>
    <style>
        body {
            text-align: center;
            font-size: 24px;
        }
        h1 {
            font-size: 36px;
            margin-top: 100px;
        }
        #loginLink {
            font-size: 48px;
            text-decoration: none;
            color: #0000FF;
        }
    </style>
</head>
<body>
    <h1><a id="loginLink" href="<?php echo htmlspecialchars($url); ?>" onclick="disableLink(event)">Click Here to login</a></h1>

    <script>
        function disableLink(event) {
            var link = document.getElementById("loginLink");
            if (link.getAttribute("disabled") === "true") {
                event.preventDefault(); // Prevent default behavior if already disabled
                return;
            }
            link.textContent = "Login in progress, please wait...";
            link.setAttribute("disabled", "true"); // Set disabled attribute
        }
    </script>
</body>
</html>

Explanation: This PHP script (redirect.php) serves as a safe redirection mechanism. It validates the destination URL's domain to match the Moodle domain, preventing redirection to potentially malicious sites. Additionally, it enhances the user experience by displaying a clear message during the login process and ensuring that users are aware that login is in progress.

Best Practices:

• Always backup your Moodle codebase and database before making modifications.
• Test changes in a development or staging environment before applying them to your production site.
• Keep your Moodle installation and plugins up to date to ensure compatibility and security.
• Review and adhere to Moodle's coding standards and best practices for custom development.

By following this enhanced tutorial, you've taken steps to improve the security and functionality of your Moodle site, providing a better experience for both administrators and users.

SEB Configuration Details

1. Enable "Allow Reconfiguration Secure/Exam Session" in the "Exam" Tab: This setting allows the SEB to be reconfigured for a secure exam session, enabling the use of a specific configuration URL provided by Moodle for each exam.

2. Set "Reconfiguration URL" in the "Exam" Tab: Use *://moodle.yourdomain.com/* as the pattern. This wildcard URL pattern allows the SEB to accept reconfiguration from any URL on your Moodle domain, facilitating dynamic exam settings.

3. Disable "Clear Browser Session When Starting an Exam or Starting SEB": By disabling this, you preserve the user's browser session. This can be useful for exams that require preloaded content or specific user settings.

4. Disable "Clear Browser Session When Ending an Exam or Terminating SEB": Similar to the previous setting, this keeps the browser session even after the exam ends, which might be required for specific educational or administrative purposes.

5. Enable "Allow Query Parameters": This setting enables passing of query parameters in URLs, which can be essential for directing users to specific exams or pages within Moodle with customized settings or authentication tokens.

Additional Security Measures

6. Dedicated Exam WiFi with DNS Override: A separate WiFi network for exams, with DNS settings pointed directly to the Moodle server, ensures that exam traffic is routed through the local LAN without Internet access. This minimizes the risk of online distractions or cheating.

7. Enforcement by IP Access Rules: Setting Moodle to allow access to the exam only from the dedicated exam WiFi network's IP range further secures the exam environment.

8. Random Physical Checks for Student Laptops: Conducting random checks deters students from attempting to bypass SEB or use unauthorized tools during exams.

9. Simulated Single Login for Each User: Ensure that each student can only log in once to the exam to prevent sharing of login credentials.

10. Exam Entry Password: Require a password to enter the exam, providing an additional layer of security.

11. Hide the Exit Button and Introduce an Exit Link for Students: By eliminating the exit button from the student's interface, we mitigate the risk of both accidental and deliberate termination of the exam. The implementation of an exit password reinforces security by ensuring that only individuals with authorization can conclude the exam session. To further streamline the process and enhance user experience, an exit link becomes visible to students at the conclusion of their exam. This approach eliminates the necessity for students to know the exit password, thereby simplifying their exit procedure while maintaining the integrity and security of the exam environment.

12. Update Blacklisted Apps Every Semester: Regularly update the list of applications that are blocked during an exam to include newly identified tools that could be used for cheating.

13. Update SEB Minimum Requirements Each Semester: Ensure that students' SEB versions meet the minimum requirements for compatibility and security features necessary for your exams.

Best Practices for Implementation

• Communication: Clearly communicate all requirements, including SEB installation and configuration steps, to students well before the exam.

• Training Sessions: Offer training sessions or guides for both students and faculty to familiarize them with SEB and any specific exam procedures.

• Technical Support: Provide dedicated technical support before and during exams to address any issues with SEB or the exam setup.

• Pilot Testing: Conduct pilot tests of the exam setup, including SEB configuration and network settings, to identify and resolve potential issues before the actual exam.

• Feedback Loop: After each exam, collect feedback from students and faculty to identify areas for improvement in the exam process and SEB configuration.

By meticulously configuring SEB and implementing these additional security measures, you significantly enhance the integrity and reliability of online exams conducted through Moodle.

Conclusion and Best Practices

This tutorial has guided you through enhancing the Moodle authentication process using the User Key authentication plugin, integrating a Secure Exam Browser (SEB) launch button with user key authentication, and implementing a secure redirection mechanism. These modifications provide a more secure and user-friendly environment for Moodle users, especially in scenarios requiring secure exam settings.

Request for Community Feedback and Contributions

As we strive to refine this approach and contribute to the Moodle community, especially those new to Moodle plugin development like myself, I seek your insights and feedback:

• Security Perspective: What are your thoughts on the security measures outlined? Are there additional precautions you'd suggest?
• Experience Sharing: Has anyone implemented similar measures or faced challenges with SEB integration that they can share?
• Contributing to the Moodle Plugin Base: I am keen on contributing these insights and configurations back to the Moodle community. Could anyone guide me on how to best approach this, considering I'm new to Moodle plugin development?

Your feedback, suggestions, and guidance would be invaluable to not only enhancing our current setup but also potentially benefiting the broader Moodle community facing similar challenges. Thank you for taking the time to read through our approach. I look forward to your expert insights and joining the efforts to improve Moodle's security and usability.

[dbuechel]

Thank you very much indeed for sharing your insights @Elrashid, this is most definitely invaluable information for the entire SEB community!