Skip to content

Comments

Add IdentityProvider.cookie_secret_hook#1569

Merged
minrk merged 4 commits intojupyter-server:mainfrom
emin63:bugfix-passwd-change
Feb 12, 2026
Merged

Add IdentityProvider.cookie_secret_hook#1569
minrk merged 4 commits intojupyter-server:mainfrom
emin63:bugfix-passwd-change

Conversation

@emin63
Copy link
Contributor

@emin63 emin63 commented Nov 3, 2025
edited by minrk
Loading

Fixes #1566

This fixes a bug where changing the password still allowed login by a previous cookie even if the server was restarted.

See https://github.com/jupyter-server/jupyter_server/pull/1567/files#r2483108218 for original discussion.

I tested as follows:

  1. Setup a tempdir for various config/runtime directories:
    • \rm -rf /tmp/jup_temp && mkdir /tmp/jup_temp
  2. Set env vars to point config at above:
    • export JUPYTER_CONFIG_DIR=/tmp/jup_temp/conf
    • export XDG_CONFIG_HOME=/tmp/jup_temp/xdg
    • export JUPYTER_DATA_DIR=/tmp/jup_temp/data
    • export JUPYTER_RUNTIME_DIR=/tmp/jup_temp/run
  3. Set password
    • jupyter server password # type password1
  4. Start server and login with password to save cookie.
    • jupyter server
  5. Change password:
    • jupyter server password # type password2
  6. Restart server and try to login to verify that old cookie does not work and you are challenged for new password.
    • jupyter server

emin63 added 3 commits November 3, 2025 09:57
@emin63
Fix bug in issue jupyter-server#1566 based on ideas in jupyter-server…
c6846cb 
…#1567.

This fixes a bug where changing the password still allowed
login by a previous cookie even if the server was restarted.
@emin63
fix type hint
68aef60
@emin63
import hmac only for type checking to fix lint
d8aba18
@krassowski krassowski added the bug label Nov 27, 2025
@krassowski krassowski mentioned this pull request Feb 9, 2026
Closed
@minrk minrk changed the title Fix bug in issue #1566 based on ideas in #1567. Add IdentityProvider.cookie_secret_hook Feb 9, 2026
@minrk minrk merged commit 8f13c24 into jupyter-server:main Feb 12, 2026
35 of 38 checks passed
@minrk
Copy link
Contributor

minrk commented Feb 12, 2026

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

bug

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Authentication Cookies Remain Valid After Password Reset and Server Restart

3 participants

@emin63 @minrk @krassowski