set httponly on cookies

2025-10-15 14:03:02 +00:00 · 2017-07-11 11:06:00 +02:00
parent 396f454998
commit a51141810d
2 changed files with 5 additions and 3 deletions
--- a/jupyterhub/handlers/base.py
+++ b/jupyterhub/handlers/base.py
@@ -253,10 +253,11 @@ class BaseHandler(RequestHandler):
    def _set_user_cookie(self, user, server):
        # tornado <4.2 have a bug that consider secure==True as soon as
        # 'secure' kwarg is passed to set_secure_cookie
+        kwargs = {
+            'httponly': True,
+        }
        if  self.request.protocol == 'https':
-            kwargs = {'secure': True}
-        else:
-            kwargs = {}
+            kwargs['secure'] = True
        if self.subdomain_host:
            kwargs['domain'] = self.domain
        self.log.debug("Setting cookie for %s: %s, %s", user.name, server.cookie_name, kwargs)
--- a/jupyterhub/services/auth.py
+++ b/jupyterhub/services/auth.py
@@ -478,6 +478,7 @@ class HubOAuth(HubAuth):
        """Set a cookie recording OAuth result"""
        kwargs = {
            'path': self.base_url,
+            'httponly': True,
        }
        if handler.request.protocol == 'https':
            kwargs['secure'] = True