Move session_id from url parameter to cookie

rising_star · June 29, 2022, 4:13am

Sending the session_id in the url parameter is a security vulnerability, it should be sent in the cookies instead. Is there a config in jupyterlab to accomplish this

Jupyterlab info

$ jupyter --version
jupyter core     : 4.7.1
jupyter-notebook : 6.4.3
qtconsole        : not installed
ipython          : 7.26.0
ipykernel        : 6.1.0
jupyter client   : 6.1.12
jupyter lab      : 3.1.6
nbconvert        : 6.1.0
ipywidgets       : not installed
nbformat         : 5.4.0
traitlets        : 5.2.2

krassowski · June 30, 2022, 7:55pm

As per Pass session id in headers as opposed to concatenating in URL · Issue #9481 · jupyterlab/jupyterlab · GitHub and Session id concatenated with URL · Issue #9387 · jupyterlab/jupyterlab · GitHub session ID is informational and not used for authentication (/only sent after authentication has been completed.) If you however believe that there is a security vulnerability please provide details following the instructions at Project Jupyter | Security.

rising_star · July 1, 2022, 8:47am

Thanks @krassowski for the detailed response.

Topic		Replies	Views
RFC: links with authentication (?token=...) to JupyterHub JupyterHub	0	560	November 17, 2021
Is Jupyter support Cookies/Session? JupyterLab	4	2569	February 10, 2021
Invalidate JupyterHub user session after defined expiration time JupyterHub	2	2029	June 3, 2020
Jupyterlab accepts arbitrary value in /login's "next" parameter JupyterLab security	1	465	August 11, 2023
Potential security issue? Security	7	1548	November 16, 2020

Move session_id from url parameter to cookie

Related Topics