The initial issue is described here How to force re-login for users and seems that it is still unresolved - no simple way to logout user in Jupyterlab after the time defined in
After some investigation of what going on inside the authentication mechanism of Jupyterhub / Lab I have some questions and want to figure out why authorization works in this way.
oauthenticator.generic.GenericOAuthenticator and defined the tornado session cookie expiration in ~1m30s
I noticed that requests going from Jupyterlab can be authenticated in two ways
Authorization: token dabd7016eb9f448cbb764d2b3d8c0067with each request
- by the session cookie
jupyterhub-user-usernamethat has expiration age equal to defined ~1m30s BUT is refreshed after each request and as a result, never expired because every 10 seconds Jupyterlab sends requests in background
If one of Authorization header or session cookie exists in request then request is authorized properly and response contains a new refreshed session cookie.
My questions are
- why is it necessary to pass Authorization header with each request? It has no expiration time and having it in JS isn’t secure
- why session cookie
jupyterhub-user-usernameis refreshed every time?
To solve my personal issue I want to
- remove Authorization token at all from Jupyterlab, at least from requests. Is it possible?
- I want to refresh session cookie only once - after login, so it must be expired exactly after the time I defined in the server config
Thanks in advance