Thank you so much for this example. I have been able to implement and adapt it to simply show user details from userResult in onLaunch.

However, your example (and my adaptations) use $_SESSION which doesn't work where cross-site tracking is disabled (unless I'm missing something).

It appears the library supports platform storage. Any chance the example could be updated? I have tried to figure this out but can't seem to wrap my head around it.

The library will automatically seek to use the platform storage for tools, if available, when their cookies are being blocked (see https://github.com/celtic-project/LTI-PHP/wiki/Platform_storage).

So, your existing example should be working when cookies are blocked?

Yes, assuming you are using a version of the library in which this feature has been added.

OK. I am seeing varying behaviours as I test more. My apologies for not testing more scenarios.

Using Chrome in iOS I am seeing "Sorry, there was an error connecting you to the application" unless I enable "Allow Cross-Website Tracking". This was why I didn't think your example was using platform storage.

Safari in iOS shows a message about the browser blocking the request, but clicking Continue opens a new tab.

Incognito mode in Chrome for Windows shows that "browser blocking" message as well (which aligns with the "Block third-party cookies in Incognito" setting), though it opens the tab automatically.

Firefox for Windows (private or not) seems to work normally.

The implemented solution will force the tool into a new tab/window as a last resort. However, as browsers increase their restrictions on third-party cookies, even this may prove to be insufficient. Tools may need to completely avoid their dependence upon cookies to carry on working, but if you know of any other techniques which can be usefully implemented, please pass them on.