Hello,
I have a question about the logout behavior in The Littlest JupyterHub (TLJH), specifically regarding the jupyterhub-hub-login cookie.
When a user logs into The Littlest JupyterHub (TLJH), the browser receives a cookie with a format similar to: jupyterhub-hub-login=β2|1:0|10:|20:jupyterhub-hub-login|44:=|β
After clicking the Logout button, the user is redirected to /hub/logout as expected.
However, I noticed that if I manually reuse the cookie value after logging out, I can still access certain API endpoints from the terminal. For example:
curl -X GET \ -H 'Accept: application/jupyterhub-pagination+json' \ -H 'Content-Type: application/json' \ -H 'Cookie: jupyterhub-hub-login=β2|1:0|10:|20:jupyterhub-hub-login|44:=|β' \ 'https://<my-domain>/hub/api/proxy'
Even after logging out in the browser, this request still returns a valid response.
This behavior seems similar to what is described in this GitHub thread, but I wanted to confirm whether this is intended behavior so I know I didnβt accidentally misconfigure anything.
My main question is:
When a user logs out, should the jupyterhub-hub-login cookie be invalidated server-side immediately?
If this behavior is expected, Iβm wondering what the recommended mitigations are to reduce risk in the case of compromised cookies. For example:
-
Reducing
c.JupyterHub.cookie_max_age_daysfrom the default 14 days -
Using
logout_redirect_url -
Other session hardening configurations
For context:
-
I am running TLJH on an EC2 instance
-
Authentication is handled by MultiAuthenticator with OAuth providers (Microsoft and Google)
-
The environment is primarily used as an internal tool within my company
I would appreciate clarification on whether this logout behavior is working as designed and what best practices are recommended for minimizing risk.
I appreciate your time.