User automatic logout on inactivity

Hi everyone,

I’m currently trying to open a Jupyterhub instance deployed in my organization HPC cluster wide open on the internet. The final security requirement I have to answer is that users should be automatically logged out if they are inactive for more than say 10 minutes.

I’ve searched a bit for a solution to this, but did not find anything yet:

Is there any other solution?
Does the spawned notebook periodically checks with the hub if authentication is still valid?
Is it possible to implement something like this somewhere?

Thanks in advance,
Guillaume.

Hi, Have you taken a look into the culling options? They sound close to what you need.

Thanks for the answer, but as stated in the culling docs:

This means that leaving the computer running with the JupyterHub window open will not be treated as inactivity.

Which is precisely what I need. So culling won’t do it.

Yeah, that portion of the doc kinda surprised me as well. Culling at that level doesn’t strike me as very useful because of that.

For completeness, culling can also be configured within a Notebook server. In this case, the target of the culling operation is the kernel itself. In addition, there are more options - like culling connected kernels (probably what you’re after), or culling busy kernels (which I wouldn’t advise). See the options on MappingKernelManager. Since I believe you’re focusing primarily on resource consumption this may help, although I suspect the issue is the Notebook server itself. You need it to go away.

PS. Your links in your original post should be edited to not include the trailing colon.

Nope, I’m actually focused on preventing a malicious user to take control of a running Jupyterlab. I don’t care that the notebook server keeps running behind the scene, I just want the user to be disconnected if he is away from keyboard more than 10 minutes. That’s why I think culling is not what I’m after.

It seems I can’t edit my original post, not sure if this is a discourse trust level problem or something else…

So I also ran into https://github.com/jupyterhub/jupyterhub/issues/1780. This is what I would need: close open websocket connections upon logout.

I’m able to logout automaticaly from the hub, and also to prevent new access to /users/* after logout thanks to F5 technology in front of the hub.

But already open jupyterlab interface and specificaly open notebooks or terminals will continue to work.

Is there any way to force jupyterlab to do a page reload or any API I could use to check if login is still valid on notebook server side?

Ping @minrk if you have any advice?

I’ve fixed the links for you

Ok, so the solution of using F5 tech provided functionality is actually not working. Leaving the browser tab open on Jupyterlab will never trigger a timeout as the JavaScript application continuously issues http requests, so it is always seen as active as long as the browser tab has focus.

The only solution I see currently is to implement some kind of plugin which checks for inactivity on the client side, and automaticaly redirects to logout page if user doesn’t touch its mouse or keyboard during a given period.

Does that sounds feasible ?

Cc @minrk who already gave precise answers to questions like this one.

The Jupyterlab plugin solution does work in our case. We’ll soon share it on github, once it’s better tested, so that anyone can benefit from it!

1 Like