From d8f404d25e204f5dcb60e15fd08f7e02e97a88cc Mon Sep 17 00:00:00 2001 From: Min RK Date: Mon, 13 Nov 2023 11:21:58 +0100 Subject: [PATCH] Backport PR #4563: only set 'domain' field on session-id cookie --- jupyterhub/handlers/base.py | 25 +++++++++++++++++++------ 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/jupyterhub/handlers/base.py b/jupyterhub/handlers/base.py index 12ab1fab..397e3ccf 100644 --- a/jupyterhub/handlers/base.py +++ b/jupyterhub/handlers/base.py @@ -519,13 +519,18 @@ class BaseHandler(RequestHandler): def clear_login_cookie(self, name=None): kwargs = {} - if self.subdomain_host: - kwargs['domain'] = self.domain user = self.get_current_user_cookie() session_id = self.get_session_cookie() if session_id: # clear session id - self.clear_cookie(SESSION_COOKIE_NAME, path=self.base_url, **kwargs) + session_cookie_kwargs = {} + session_cookie_kwargs.update(kwargs) + if self.subdomain_host: + session_cookie_kwargs['domain'] = self.domain + + self.clear_cookie( + SESSION_COOKIE_NAME, path=self.base_url, **session_cookie_kwargs + ) if user: # user is logged in, clear any tokens associated with the current session @@ -574,8 +579,6 @@ class BaseHandler(RequestHandler): kwargs = {'httponly': True} if self.request.protocol == 'https': kwargs['secure'] = True - if self.subdomain_host: - kwargs['domain'] = self.domain kwargs.update(self.settings.get('cookie_options', {})) kwargs.update(overrides) @@ -610,8 +613,18 @@ class BaseHandler(RequestHandler): so other services on this domain can read it. """ session_id = uuid.uuid4().hex + # if using subdomains, set session cookie on the domain, + # which allows it to be shared by subdomains. + # if domain is unspecified, it is _more_ restricted to only the setting domain + kwargs = {} + if self.subdomain_host: + kwargs['domain'] = self.domain self._set_cookie( - SESSION_COOKIE_NAME, session_id, encrypted=False, path=self.base_url + SESSION_COOKIE_NAME, + session_id, + encrypted=False, + path=self.base_url, + **kwargs, ) return session_id