replaced session_paramerters with server params for security reasons

cleaned up comments

app/controllers/exercises_controller.rb

@@ -157,16 +157,14 @@ class ExercisesController < ApplicationController
   end
 
   def redirect_to_lti_return_path
-    #Todo replace session with lti_parameter /done
     lti_parameter = LtiParameter.where(consumers_id: session[:consumer_id],
-                                       external_user_id: session[:external_user_external_id],
+                                       external_user_id: @current_user.external_id,
                                        exercises_id: @submission.exercise_id).first
 
     path = lti_return_path(consumer_id: session[:consumer_id],
                            submission_id: @submission.id,
                            url: consumer_return_url(build_tool_provider(consumer: Consumer.find_by(id: session[:consumer_id]),
                                                                         parameters: lti_parameter.lti_parameters)))
-                                                                        # parameters: session[:lti_parameters])))
     respond_to do |format|
       format.html { redirect_to(path) }
       format.json { render(json: {redirect: path}) }
@@ -230,7 +228,7 @@ class ExercisesController < ApplicationController
   def submit
     @submission = Submission.create(submission_params)
     score_submission(@submission)
-    if lti_outcome_service?(@submission.exercise_id)
+    if lti_outcome_service?(@submission.exercise_id, @current_user.external_id, @current_user.consumer_id)
       transmit_lti_score
     else
       redirect_after_submit