Invalidate JupyterHub user session after defined expiration time

The initial issue is described here How to force re-login for users and seems that it is still unresolved - no simple way to logout user in Jupyterlab after the time defined in c.JupyterHub.tornado_settings.cookie_options.expires_days

After some investigation of what going on inside the authentication mechanism of Jupyterhub / Lab I have some questions and want to figure out why authorization works in this way.

I’m using oauthenticator.generic.GenericOAuthenticator and defined the tornado session cookie expiration in ~1m30s


I noticed that requests going from Jupyterlab can be authenticated in two ways

  • by the static Authorization token that has no expiration time (!) initially loaded from the server and stored in javascript. This token is sent by the header Authorization: token dabd7016eb9f448cbb764d2b3d8c0067 with each request
  • by the session cookie jupyterhub-user-username that has expiration age equal to defined ~1m30s BUT is refreshed after each request and as a result, never expired because every 10 seconds Jupyterlab sends requests in background

If one of Authorization header or session cookie exists in request then request is authorized properly and response contains a new refreshed session cookie.

My questions are

  • why is it necessary to pass Authorization header with each request? It has no expiration time and having it in JS isn’t secure
  • why session cookie jupyterhub-user-username is refreshed every time?

To solve my personal issue I want to

  • remove Authorization token at all from Jupyterlab, at least from requests. Is it possible?
  • I want to refresh session cookie only once - after login, so it must be expired exactly after the time I defined in the server config

Thanks in advance

@minrk Why the topic has been moved from JupyterLab to JupyterHub category? The issue is observed only on JupyterLab, simple Jupyter notebook doesn’t suffer with this problem

I moved it because authentication is generally different under JupyterHub, even if there is something JupyterLab-specific. JupyterLab has no cookie-related code, for example.

The jupyterlab jupyterhub extension sets the token to be used for API requests in page config.

For the cookie question, I’m not sure what would be causing it to be set for every request. Can you launch jupyterlab with --debug and share some log output? It seems like this could happen if one had shared a URL with ?token=... and kept making requests with a token in a query parameter. Also what version of jupyterhub and jupyterlab are you using?

Having the auth token accessible in js enables API requests to other JupyterHub services for integrated extensions like nbviewer or file sharing.

Removing the auth token from jupyterlab requests might be possible by setting the page_config token to None. I’m not 100% sure how to do that, though, since there doesn’t appear to be a page_config override.