Skip to content

Cookie security docs are misleading #1432

New issue
Jump to bottom
New issue
Jump to bottom
Closed
#1433
Closed
Cookie security docs are misleading#1432
#1433
Labels
bug
@krassowski

Description

@krassowski
krassowski
opened on Jun 20, 2024

If cookie secret file does not exist, a cookie file is saved on disk by default:

jupyter_server/jupyter_server/serverapp.py

Lines 1150 to 1160 in b85c15b

@default("cookie_secret")
def _default_cookie_secret(self) -> bytes:
if os.path.exists(self.cookie_secret_file):
with open(self.cookie_secret_file, "rb") as f:
key = f.read()
else:
key = encodebytes(os.urandom(32))
self._write_cookie_secret_file(key)
h = hmac.new(key, digestmod=hashlib.sha256)
h.update(self.password.encode())
return h.digest()

But documentation incorrectly claims that the cookie will be regenerated each time:

jupyter_server/jupyter_server/serverapp.py

Lines 1138 to 1148 in b85c15b

cookie_secret = Bytes(
b"",
config=True,
help="""The random bytes used to secure cookies.
By default this is a new random number every time you start the server.
Set it to a value in a config file to enable logins to persist across server sessions.
Note: Cookie secrets should be kept private, do not share config files with
cookie_secret stored in plaintext (you can read the value from a file).
""",
)

Which is not the case and has adverse security implications. For example, users may think that using "Copy Download Link" in JupyterLab is safe enough because even if the link is leaked they can just restart the server to invalidate it. This is not the case by default.

The relevant part of the documentation string was last updated in May 28, 2013 b0d0ed0 but the behaviour changed on Jul 7, 2014 in 0d9ba93.

Metadata

Assignees

No one assigned

    Labels

    bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions