Skip to content

Comments

Add IdentityProvider.cookie_secret_hook#1569

Merged
minrk merged 4 commits intojupyter-server:mainfrom
emin63:bugfix-passwd-change
Feb 12, 2026
Merged

Add IdentityProvider.cookie_secret_hook#1569
minrk merged 4 commits intojupyter-server:mainfrom
emin63:bugfix-passwd-change

Conversation

@emin63
Copy link
Contributor

@emin63 emin63 commented Nov 3, 2025

Fixes #1566

This fixes a bug where changing the password still allowed login by a previous cookie even if the server was restarted.

See https://github.com/jupyter-server/jupyter_server/pull/1567/files#r2483108218 for original discussion.

I tested as follows:

  1. Setup a tempdir for various config/runtime directories:
    • \rm -rf /tmp/jup_temp && mkdir /tmp/jup_temp
  2. Set env vars to point config at above:
    • export JUPYTER_CONFIG_DIR=/tmp/jup_temp/conf
    • export XDG_CONFIG_HOME=/tmp/jup_temp/xdg
    • export JUPYTER_DATA_DIR=/tmp/jup_temp/data
    • export JUPYTER_RUNTIME_DIR=/tmp/jup_temp/run
  3. Set password
    • jupyter server password # type password1
  4. Start server and login with password to save cookie.
    • jupyter server
  5. Change password:
    • jupyter server password # type password2
  6. Restart server and try to login to verify that old cookie does not work and you are challenged for new password.
    • jupyter server

…#1567.

This fixes a bug where changing the password still allowed
login by a previous cookie even if the server was restarted.
@krassowski krassowski added the bug label Nov 27, 2025
@minrk minrk changed the title Fix bug in issue #1566 based on ideas in #1567. Add IdentityProvider.cookie_secret_hook Feb 9, 2026
@minrk minrk merged commit 8f13c24 into jupyter-server:main Feb 12, 2026
35 of 38 checks passed
@minrk
Copy link
Contributor

minrk commented Feb 12, 2026

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Authentication Cookies Remain Valid After Password Reset and Server Restart

3 participants