Overriding default xsrf cookie setting using xsrf_cookie_kwargs question

mohanraj1 · November 14, 2022, 8:39am

By default xsrf expiry is set to 30 days. _xsrf cookie path is set to /user/some-user-id

We are setting httponly, secure flag and setting expiry to 1 day as below c.Spawner.args = [“–ServerApp.tornado_settings={"headers":{"Content-Security-Policy": "frame-ancestors …”}, "cookie_options": {"SameSite": "None","Secure": True }, "xsrf_cookie_kwargs": {"httponly": True,"secure": True,"expires_days":1} }"]
c.JupyterHub.tornado_settings = {“headers”: {“Content-Security-Policy”: “frame-ancestors …”}, “cookie_options”: {“SameSite”: “None”,“Secure”: True,“expires_days”: 0.5}, “xsrf_cookie_kwargs”: {“secure”: True, “httponly”: True, “expires_days”: 1}}

Here _xsrf path is set to /

Questions:

How do we set path for _xsrf?
Is there any issue in terms of functionality if the path for _xsrf is / instead of /user/some-user-id?

Thanks
Mohan

manics · November 14, 2022, 8:37pm

_xsrf is set by your singleuser server (e.g. jupyter-server)

github.com

jupyter-server/jupyter_server/blob/81535d486e81a6e04c2807b47e650c5b855ab7ab/jupyter_server/serverapp.py#L386-L388


      
          if base_url and "xsrf_cookie_kwargs" not in settings:
              # default: set xsrf cookie on base_url
              settings["xsrf_cookie_kwargs"] = {"path": base_url}

Can you explain why you you want to change it to /?

mohanraj1 · November 14, 2022, 8:45pm

Thanks for the reply. I don’t want to change it to “/”. What should be the configuration so that it puts the path? I configured “xsrf_cookie_kwargs”: {“secure”: True, “httponly”: True, “expires_days”: 1}} in JH helm config (hub: extraConfig:). How can I set the path (“base_url”)? Since base_url is dynamic, what is the best way to set it?

manics · November 14, 2022, 8:50pm

JupyterHub sets several environment variables which you can see by running env in a terminal, e.g.:

JUPYTERHUB_SERVICE_PREFIX=/user/binderhub-ci-re-imal-dockerfile-9aogsd8o/

You could try writing a wrapper script that runs jupyterhub-singleuser (or whatever command you’re using) with the custom arguments, and use that as your spawner command?

mohanraj1 · November 14, 2022, 9:41pm

We put this in helm config
c.Spawner.args = [“–ServerApp.tornado_settings={"headers":{"Content-Security-Policy": "frame-ancestors urls…”}, "cookie_options": {"SameSite": "None","Secure": True }, "xsrf_cookie_kwargs": {"secure": True,"expires_days":0.5} }"]
You are saying move this logic to pre_spawn_start and set path for xsrf_cookie_kwargs using the env variable “JUPYTERHUB_SERVICE_PREFIX”. right?

Can you please share example?

mohanraj1 · November 15, 2022, 6:18am

We are already overriding pre_spawn_start method. So, I used pre_spawn_start method to form xsrf cookie path using string concat (‘/user/’ + user_id + ‘/’) and set this value in spawner arguments.
I am assuming the path pattern ‘/user/’ + user_id + ‘/’ will remain same. Please confirm.

Please share if there is a better way to do it.

bpfrd · February 2, 2024, 9:44am

I was wondering, what is the proper way to secure cookies and set httponly flag to true?

Topic		Replies	Views
Cookie_options argument on Spawner is returning an error The Littlest JupyterHub how-to , help-wanted	2	179	November 14, 2023
Invalidate JupyterHub user session after defined expiration time JupyterHub	2	1698	June 3, 2020
Making API requests to hub from browser from services JupyterHub jupyterhub , help-wanted	4	70	April 18, 2024
Set_login_cookie dont change the cookie in the current request JupyterHub jupyterhub , how-to	4	100	March 21, 2024
RFC: jupyterhub removing referer checks JupyterHub	0	285	December 13, 2022

Overriding default xsrf cookie setting using xsrf_cookie_kwargs question

Related Topics