Cookie secret and state - how does it ensure secure login?

Hi folks, I’ve setup JupyterHub and used custom oauthentication from my server to allow users to log in. I’ve modified the workflow such that it returns the user data during the first API request to /oauth/authorize. Exactly how does the state query param that is passed prevent another person (hacker) from capturing that state and setting their browser cookie and logging in? Does it have anything to do with the cookie secret that is set initially?

Consider this scenario:

  1. XYZ logs in to hub.example.com
  2. Attacker sees XYZ’s state by snooping the Wifi and capturing the URL
  3. Now attacker tries to log in to hub.example.com as XYZ after setting browser cookie

How is this scenario prevented?

I want to be able to safely deploy this for some stakeholders, hence the concern for safety.

If everything is encrypted (https) at worst an attacker snooping on your network would see the domains or IPs you’re visiting but they wouldn’t see the rest of the URL, nor would they see any cookies or other sensitive information.

If you’re not using https then there’s not much you can do, the attacker will be able to see everything.

Edit: see this post for an explanation of the login process:

1 Like

Thanks for the reply! @manics