Login page cookie expires after 60 minutes

tmetzl · March 20, 2025, 9:46am

JupyterHub Version: 5.2.1
Helm Chart: 4.0.0

We frequently use JupyterHub in rooms with multiple PCs, where we pre-start the machines so that they display the login page (e.g. for exams).

We’ve noticed that if the login page remains open for more than 60 minutes before logging in, users encounter the following error after attempting to log in:

403 Forbidden: XSRF cookie does not match POST argument

Upon inspecting the cookies, we found that the max age for the cookie set on the login page is 60 minutes (3,600 seconds). Refreshing the page does not return users to the login screen; instead, it simply refreshes the error message. In an exam setting, this can cause confusion and anxiety, as students may think something has gone seriously wrong.

Is there a way to increase the max age of the cookie set on the login page or another workaround? We prefer to have the login page open at boot, as it serves as a simple confirmation that the hub is accessible and functioning properly.

minrk · March 21, 2025, 12:12pm

I never imagined the login page being open for more than a few minutes! The error should definitely be better than that.

It is not currently possible to override the expiration of anonymous xsrf tokens (the ones used by the login page), which is hardcoded here.

The simplest workaround might be to reload the login page while it’s idle with a custom login.html page template:

{% extends "templates/login.html" %}

{% block script %}
{{ super() }}
<script type="text/javascript">
  // reload login page every 10 minutes
  // to avoid expiration of form tokens
  setTimeout(() => {
    console.log("reloading");
    location.reload();
  }, 10 * 60 * 1000);
</script>
{% endblock script %}

With that, there may still be up to 10 minutes in an hour where the xsrf token has expired, because loading the login page doesn’t always set a new xsrf token unless the current one has expired. That should be fixed.

I’ll work on improving the behavior for expired tokens and keeping them alive.

tmetzl · March 21, 2025, 2:31pm

Thank you for your quick reply.
I suspected the cookie was hardcoded. We will try the workaround with the refresh or maybe put another page in front of that for now.

minrk · March 21, 2025, 4:41pm

improve xsrf errors on login by minrk · Pull Request #5022 · jupyterhub/jupyterhub · GitHub is my attempt to improve this. It doesn’t actually increase the expiration, but should greatly improve the experience of login failing due to this expiration, and make it less likely. It also means that above refresh strategy will actually guarantee a valid token because a fresh token is always set when the login page is served.

Topic		Replies	Views
Cookie _xsrf: how to change the default expiration time of 30 days? JupyterLab how-to , help-wanted	1	923	August 17, 2022
Invalidate JupyterHub user session after defined expiration time JupyterHub	2	2134	June 3, 2020
Overriding default xsrf cookie setting using xsrf_cookie_kwargs question JupyterHub	5	1357	November 15, 2022
Make user login again if cookies are expired JupyterHub	3	77	December 20, 2024
How to force re-login for users JupyterHub how-to	21	19063	March 12, 2024

Login page cookie expires after 60 minutes

Related topics