I’m trying to log out a user of all his sessions programmatically using the JupyterHub api. For the moment I can log out a user out of all his server sessions by deleting his oauth tokens by using [DEL] /users/{name}/tokens/{token_id}.
The thing I don’t know is how I can log the user out of /hub. How do I reproduce the behavior of when a user clicks on logout on his home page, using the api?
I’m looking for the same thing – isn’t deleting their token and stopping their servers enough? Or is there another level of being logged in?
Logging users out of the Hub itself isn’t currently possible via the API, but it could be. Resetting the user’s cookie ID in the database invalidates all browser credentials, but there’s no API for that yet.
Thanks, I’ll keep that in mind next time I need to ban a user.
I just tried, and the cookie id can’t be set to null or empty string in the database – should I just set it to 0?
Set it to a new random string to invalidate existing cookies.
Oh right, I guess it shouldn’t be something that’s easily guessable.
Cookies are encrypted and signed with a private key on the Hub, so guessability is less the issue than collision with other users.