Security issues with jupyterhub-hub-login cookie

Hi team, we are right now facing security related issue with Jupyterhub using kubespawner and AD Authentication.
If User B replaces his cookie(jupyterhub-hub-login) with same of User A, he would be able to access Notebook instance page on User B POD. In this case, he will have access to User A Notebook code and also will be able to connect to User A GCP resources (if User A had already authenticated).

Is there any solutions to this issue?

Hi! Could you provide some more detail on what the exact security issue is? Users shouldn’t share their login cookie, just like they shouldn’t share their password.

Hi @manics thanks for your response. Our security testing team is performing one of the test related to “CWE-269: Improper Privilege Management” and as part of this test 2 users(user A and user B) logged in into different browser on a same system.
User A logged in google chrome and User B in Safari. Since both were working on same system User B was able to copy the cookie data of User A and access User A’s notebook/data.
Is there a way to hide/delete the cookie post authorisation? Or if there is a way to initiate user re-login if there is change in cookies data.

Is there any solutions to this issue?

No, not generally, and this affects ~all websites, not just JupyterHub (including, etc.).

Cookies are credentials, and access to cookies generally means access to everything the browser session is authorized to access. For instance, I just manually copied my cookies for from one browser to another and I was logged in. Cookies are highly sensitive credentials, and access to cookies should be considered access to a lot of things across all websites the user has visited. Note that two users on the same system do not generally have access to each other’s cookies - these are private, protected files and users cannot read each other’s cookies without some modifications to filesystem permissions.

Is there a way to hide/delete the cookie post authorisation?

Yes, the user can log out of JupyterHub. Deleting cookies is the same thing as logging out (this is true for websites in general).

Or if there is a way to initiate user re-login if there is change in cookies data.

I’m not sure what you mean by ‘change in cookies data’? If you suspect a user’s cookies have been compromised, JupyterHub can invalidate all cookies for a given user by changing the user’s cookie_id (a random string) in the database:

python3 -m jupyterhub.dbutil shell
In [1]: import uuid
In [2]: user = orm.User.find(db, name='username')
In [3]: user.cookie_id = uuid.uuid4().hex
In [4]: db.commit()

Or it can invalidate all cookies for all users by changing the JupyterHub.cookie_secret configuration used to encrypt and sign cookies.

Hi @minrk , currently cookies value is fetched from browser using “Inspect”

Sorry but couldn’t understand which filesystem permissions are we talking here, can you please explain it a bit more.
After logging in we manually updated “jupyterhub-hub-login” cookie data with some random string and the application was logged out and it asked to re-login.
However if we pass some other users “jupyterhub-hub-login” cookie data it switches to that users profile. Shouldn’t it log out this time as well?

Another thing will setting env variable “JPY_COOKIE_SECRET” to store cookie secret be helpful?

@minrk is referring to a multi-user system, where each user has their own operating system account, and home directory permissions are set to prevent other users from having access.

In this case you’ve got a single operating system user account, and you’re giving multiple users access. In this situation there’s no good way to secure it- one user is effectively indistinguishable from another.

The cookie data identifies a user to JupyterHub. Therefore there’s no way for JupyterHub to detect if a user manually changes a cookie to be a different valid cookie, since both cookies provide valid identification. Even if there was a way to detect a “change” there’s nothing to stop a user cloning the complete browser profile including cookies, and therefore appearing identical.

I think your security team are asking for the impossible- if multiple users have access to the same system account, and they’re not restricted in anyway, and they don’t logout, and they’re likely to misuse the system by accessing someone else’s private browser data, then there’s not much you can do.

The most secure option is probably to give each user their own operating system account, and ensure permissions are setup so they get their own private home directory.

Why would they resort to copying the cookie data between browsers? Just use the other user’s browser directly. Read their email, buy something on Amazon.

Thank you all for you responses. We have rejected the issue due the above said reasons.
However we tried copying the browser cookies of a user logged into gcp console and when we copy it into another users browser session it re-directed to login page. Not sure how it is being handled on google’s side but I believe there is a way to handle such cookies copying issue but not a concern right now for us.