I’m currently trying to open a Jupyterhub instance deployed in my organization HPC cluster wide open on the internet. The final security requirement I have to answer is that users should be automatically logged out if they are inactive for more than say 10 minutes.
I’ve searched a bit for a solution to this, but did not find anything yet:
How to force re-login for users : the cookie_max_age_days config value is not having any effect on the started Jupyterlab, only on the jupyterhub pages, as stated on the discussion. Plus, I’m not sure if it takes into account only inactivity or if it ends up the session no matter what.
Is there any other solution?
Does the spawned notebook periodically checks with the hub if authentication is still valid?
Is it possible to implement something like this somewhere?
Yeah, that portion of the doc kinda surprised me as well. Culling at that level doesn’t strike me as very useful because of that.
For completeness, culling can also be configured within a Notebook server. In this case, the target of the culling operation is the kernel itself. In addition, there are more options - like culling connected kernels (probably what you’re after), or culling busy kernels (which I wouldn’t advise). See the options on MappingKernelManager. Since I believe you’re focusing primarily on resource consumption this may help, although I suspect the issue is the Notebook server itself. You need it to go away.
PS. Your links in your original post should be edited to not include the trailing colon.
Nope, I’m actually focused on preventing a malicious user to take control of a running Jupyterlab. I don’t care that the notebook server keeps running behind the scene, I just want the user to be disconnected if he is away from keyboard more than 10 minutes. That’s why I think culling is not what I’m after.
Ok, so the solution of using F5 tech provided functionality is actually not working. Leaving the browser tab open on Jupyterlab will never trigger a timeout as the JavaScript application continuously issues http requests, so it is always seen as active as long as the browser tab has focus.
The only solution I see currently is to implement some kind of plugin which checks for inactivity on the client side, and automaticaly redirects to logout page if user doesn’t touch its mouse or keyboard during a given period.
Does that sounds feasible ?
Cc @minrk who already gave precise answers to questions like this one.
@guillaumeeb we have the same challenge (enterprise context, strict security requirements to session TTL, etc). At current stage of research looks like a custom extension is the only way to implement proper session management (without forking/hacking the lab code itself).
although i have immediate feature request as we usually deal with strict security requirements which introduce also max session TTL (regardless idle time). i can imagine a configurable session’s endpoint to call periodically and validate 401/403 status code…
Only just found this thread and it is super cool to see how short the code is!
Some nitpicking on language: JupyterLab and classic Jupyter notebook are two different frontends that can be used with JupyterHub. This means there is no “classic JupyterHub”, only “classic Jupyter notebook”.
It would be cool to make a official package that is simultaneously a classic notebook and JupyterLab extension to get this functionality on both types of frontend.
I’m thinking we should make a variation of this extension for mybinder.org that shows users the (approximate) time remaining before their session will end (if they are getting close to the end). WDYT @manics?
If you’re publishing a JupyterHub extension what would be ideal from the mybinder.org point of view is if it could be customised if necessary, or perhaps extended i.e. use your extension as a library. I’ve no idea how to do that with JupyterLab though.
Anyway, if the mecanism could some way be put on Jupyterhub side, this would be great, but I did not found any simple solution.
The problem with the Jupyterlab or classic notebook extension is that if you propose a platform where users can customize and run their own Jupyterlab, you cannot easily ensure that the extension is installed…
So just wanted to ask if someone had an idea on how to put such a verification on Jupyterhub side?