JupyterHub and JupyterLab Cookies (Privacy Policy)

Paul2708 · July 24, 2024, 1:01pm

Hey there,

We maintain a JupyterHub for students.
Due to privacy concerns and GDPR compliance, we must provide a list of cookies that may be used by JupyterHub or the spawned JupyterLab instance.
In fact, we have to mention the purpose of the cookie and its value.

Is there a dedicated documentation page about it, or can somebody reference the use of cookies in the source code?
Some other JupyterHub privacy policies mention that cookies are only used to keep track of the session. Is this sufficient?

Thanks in advance.

Best regards,
Paul

manics · July 25, 2024, 8:19am

Most of the cookies are related to logins and sessions. This is probably the best reference from the JupyterHub side:

There are also some XSRF cookies.

If you’ve installed some extensions it’s possible they’ll set additional cookies. It’s also worth noting that JupyterLab may use localStorage.

If you open a new incognito browser and open your dev tools it’s easy to check.

krassowski · July 25, 2024, 8:55am

Is there a dedicated documentation page about it

For JupyterLab: Privacy policies — JupyterLab 4.2.3 documentation

JupyterLab itself does not use any tracking cookies, only security cookies for login session perisstance and for cross site forgery prevention and these are in fact inherited from jupyter-server/tornado web server.

krassowski · July 25, 2024, 8:57am

The session cookie in jupyter-server is documented here: Security in the Jupyter Server — Jupyter Server documentation

krassowski · July 25, 2024, 9:01am

The xsrf (cross site forgery prevention) cookie is used in two places, here:

github.com

jupyterlab/jupyterlab/blob/d185c9bf3def74d440af1eac1e8a47d5c32c2e1c/packages/services/src/serverconnection.ts#L317-L354


      
          if (typeof document !== 'undefined') {
            const xsrfToken = getCookie('_xsrf');
            if (xsrfToken !== undefined) {
              authenticated = true;
              request.headers.append('X-XSRFToken', xsrfToken);
            }
          }
          
          // Set the content type if there is no given data and we are
          // using an authenticated connection.
          if (!request.headers.has('Content-Type') && authenticated) {
            request.headers.set('Content-Type', 'application/json');
          }
          
          // Use `call` to avoid a `TypeError` in the browser.
          return settings.fetch.call(null, request).catch((e: TypeError) => {
            // Convert the TypeError into a more specific error.
            throw new ServerConnection.NetworkError(e);
          });
          // TODO: *this* is probably where we need a system-wide connectionFailure

This file has been truncated. show original

and here:

github.com

jupyterlab/jupyterlab/blob/d185c9bf3def74d440af1eac1e8a47d5c32c2e1c/packages/services/src/contents/index.ts#L1169-L1185


      
          getDownloadUrl(localPath: string): Promise<string> {
            const baseUrl = this.serverSettings.baseUrl;
            let url = URLExt.join(baseUrl, FILES_URL, URLExt.encodeParts(localPath));
            let cookie = '';
            try {
              cookie = document.cookie;
            } catch (e) {
              // e.g. SecurityError in case of CSP Sandbox
            }
            const xsrfTokenMatch = cookie.match('\\b_xsrf=([^;]*)\\b');
            if (xsrfTokenMatch) {
              const fullUrl = new URL(url);
              fullUrl.searchParams.append('_xsrf', xsrfTokenMatch[1]);
              url = fullUrl.toString();
            }
            return Promise.resolve(url);
          }

Paul2708 · July 26, 2024, 2:15pm

Thank you so much for providing several insights!

Topic		Replies	Views
Security issues with jupyterhub-hub-login cookie JupyterHub security	7	1095	June 21, 2023
Cookie secret and state - how does it ensure secure login? JupyterHub	2	1583	April 6, 2020
Is Jupyter support Cookies/Session? JupyterLab	4	2608	February 10, 2021
Culling JupyterLab and OAuth cookies causing errors when user returns days later to use system JupyterHub	3	1839	March 27, 2019
Debugging Jupyterhub Authentication JupyterHub jupyterlab , jupyterhub , help-wanted	2	888	August 17, 2022

JupyterHub and JupyterLab Cookies (Privacy Policy)

Related topics