Hi folks, I’ve setup JupyterHub and used custom oauthentication from my server to allow users to log in. I’ve modified the workflow such that it returns the user data during the first API request to
/oauth/authorize. Exactly how does the state query param that is passed prevent another person (hacker) from capturing that state and setting their browser cookie and logging in? Does it have anything to do with the cookie secret that is set initially?
Consider this scenario:
- XYZ logs in to hub.example.com
- Attacker sees XYZ’s state by snooping the Wifi and capturing the URL
- Now attacker tries to log in to hub.example.com as XYZ after setting browser cookie
How is this scenario prevented?
I want to be able to safely deploy this for some stakeholders, hence the concern for safety.