hazza/jupyterhub
1
0
Fork 0
mirror of https://github.com/jupyterhub/jupyterhub.git synced 2025-10-09 19:13:03 +00:00
Code Issues Packages Projects Releases Wiki Activity

Backport PR #4563: only set 'domain' field on session-id cookie

Browse Source
This commit is contained in:
Min RK
2023-11-13 11:21:58 +01:00
committed by MeeseeksDev[bot]
parent 4492b508a1
commit d8f404d25e
1 changed files with 19 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
jupyterhub/handlers/base.py
View File

@@ -519,13 +519,18 @@ class BaseHandler(RequestHandler):
def clear_login_cookie(self, name=None): def clear_login_cookie(self, name=None):
kwargs = {} kwargs = {}
if self.subdomain_host:
kwargs['domain'] = self.domain
user = self.get_current_user_cookie() user = self.get_current_user_cookie()
session_id = self.get_session_cookie() session_id = self.get_session_cookie()
if session_id: if session_id:
# clear session id # clear session id
self.clear_cookie(SESSION_COOKIE_NAME, path=self.base_url, **kwargs) session_cookie_kwargs = {}
session_cookie_kwargs.update(kwargs)
if self.subdomain_host:
session_cookie_kwargs['domain'] = self.domain
self.clear_cookie(
SESSION_COOKIE_NAME, path=self.base_url, **session_cookie_kwargs
)
if user: if user:
# user is logged in, clear any tokens associated with the current session # user is logged in, clear any tokens associated with the current session
@@ -574,8 +579,6 @@ class BaseHandler(RequestHandler):
kwargs = {'httponly': True} kwargs = {'httponly': True}
if self.request.protocol == 'https': if self.request.protocol == 'https':
kwargs['secure'] = True kwargs['secure'] = True
if self.subdomain_host:
kwargs['domain'] = self.domain
kwargs.update(self.settings.get('cookie_options', {})) kwargs.update(self.settings.get('cookie_options', {}))
kwargs.update(overrides) kwargs.update(overrides)
@@ -610,8 +613,18 @@ class BaseHandler(RequestHandler):
so other services on this domain can read it. so other services on this domain can read it.
""" """
session_id = uuid.uuid4().hex session_id = uuid.uuid4().hex
# if using subdomains, set session cookie on the domain,
# which allows it to be shared by subdomains.
# if domain is unspecified, it is _more_ restricted to only the setting domain
kwargs = {}
if self.subdomain_host:
kwargs['domain'] = self.domain
self._set_cookie( self._set_cookie(
SESSION_COOKIE_NAME, session_id, encrypted=False, path=self.base_url SESSION_COOKIE_NAME,
session_id,
encrypted=False,
path=self.base_url,
**kwargs,
) )
return session_id return session_id