Move session_id from url parameter to cookie

Sending the session_id in the url parameter is a security vulnerability, it should be sent in the cookies instead. Is there a config in jupyterlab to accomplish this

Jupyterlab info

$ jupyter --version
jupyter core     : 4.7.1
jupyter-notebook : 6.4.3
qtconsole        : not installed
ipython          : 7.26.0
ipykernel        : 6.1.0
jupyter client   : 6.1.12
jupyter lab      : 3.1.6
nbconvert        : 6.1.0
ipywidgets       : not installed
nbformat         : 5.4.0
traitlets        : 5.2.2

As per Pass session id in headers as opposed to concatenating in URL · Issue #9481 · jupyterlab/jupyterlab · GitHub and Session id concatenated with URL · Issue #9387 · jupyterlab/jupyterlab · GitHub session ID is informational and not used for authentication (/only sent after authentication has been completed.) If you however believe that there is a security vulnerability please provide details following the instructions at Project Jupyter | Security.

1 Like

Thanks @krassowski for the detailed response.