Overriding default xsrf cookie setting using xsrf_cookie_kwargs question

By default xsrf expiry is set to 30 days. _xsrf cookie path is set to /user/some-user-id

We are setting httponly, secure flag and setting expiry to 1 day as below c.Spawner.args = [“–ServerApp.tornado_settings={"headers":{"Content-Security-Policy": "frame-ancestors …”}, "cookie_options": {"SameSite": "None","Secure": True }, "xsrf_cookie_kwargs": {"httponly": True,"secure": True,"expires_days":1} }"]
c.JupyterHub.tornado_settings = {“headers”: {“Content-Security-Policy”: “frame-ancestors …”}, “cookie_options”: {“SameSite”: “None”,“Secure”: True,“expires_days”: 0.5}, “xsrf_cookie_kwargs”: {“secure”: True, “httponly”: True, “expires_days”: 1}}

Here _xsrf path is set to /


  1. How do we set path for _xsrf?
  2. Is there any issue in terms of functionality if the path for _xsrf is / instead of /user/some-user-id?


_xsrf is set by your singleuser server (e.g. jupyter-server)

Can you explain why you you want to change it to /?

Thanks for the reply. I don’t want to change it to “/”. What should be the configuration so that it puts the path? I configured “xsrf_cookie_kwargs”: {“secure”: True, “httponly”: True, “expires_days”: 1}} in JH helm config (hub: extraConfig:). How can I set the path (“base_url”)? Since base_url is dynamic, what is the best way to set it?

JupyterHub sets several environment variables which you can see by running env in a terminal, e.g.:


You could try writing a wrapper script that runs jupyterhub-singleuser (or whatever command you’re using) with the custom arguments, and use that as your spawner command?

We put this in helm config
c.Spawner.args = [“–ServerApp.tornado_settings={"headers":{"Content-Security-Policy": "frame-ancestors urls…”}, "cookie_options": {"SameSite": "None","Secure": True }, "xsrf_cookie_kwargs": {"secure": True,"expires_days":0.5} }"]
You are saying move this logic to pre_spawn_start and set path for xsrf_cookie_kwargs using the env variable “JUPYTERHUB_SERVICE_PREFIX”. right?

Can you please share example?

We are already overriding pre_spawn_start method. So, I used pre_spawn_start method to form xsrf cookie path using string concat (‘/user/’ + user_id + ‘/’) and set this value in spawner arguments.
I am assuming the path pattern ‘/user/’ + user_id + ‘/’ will remain same. Please confirm.

Please share if there is a better way to do it.