I see your point. But the issue is compounded by the fact that since the logout is occurring through the REST API, the browser still maintains the cookie. So, after performing logout on command line I can go back to the browser and continue to have access.
We recently underwent a security evaluation of our app, which uses JWT and we were told that we have the same problem in that we need to configure our app to have a persistent store of invalidated tokens to ensure they can't be re-used after logout. It seems that would be the best security practice. Since in my use case I'm using jwtauthenticator, I was planning to submit a PR to make that option available in the authenticator. That wouldn't make sense unless the protection were there for the jupyter token as well. On Friday, January 19, 2018 at 2:29:46 AM UTC-8, takowl wrote: > > Logging out should clear the cookie in the browser, but if you've taken a > copy of the cookie before that, it's still valid. > > On 19 January 2018 at 00:05, Tim Harsch <[email protected] <javascript:>> > wrote: > >> I'm trying to understand the logout chain in jupyterhub/notebooks. >> version 0.8.1 and 5.1.0 respectively. I'm using dockerspawner and >> jwtauthenticator. >> >> I would like to effect a logout from outside the UI, so I tried using the >> API token and that doesn't seem to work as I get a 403. So I started >> experimenting and performed this simple test: >> >> login to jupyterhub with chrome developer tools. in network tab >> right-click copy /user/{name}/api/contents call as curl command. execute >> the command at the terminal (which includes Cookie header). Notice success >> with JSON. >> go to UI and choose logout in UI. >> repeat curl command and notice same result. I'm allowed in to a logged >> out session with the Cookie token. Does this seem like a bug? or I wonder >> if it has to do with my fairly specific environment? >> >> Thanks, >> Tim >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Project Jupyter" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To post to this group, send email to [email protected] >> <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/jupyter/fbb689b6-ca3d-4c7c-abfe-e7ee5fee7cee%40googlegroups.com >> >> <https://groups.google.com/d/msgid/jupyter/fbb689b6-ca3d-4c7c-abfe-e7ee5fee7cee%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> For more options, visit https://groups.google.com/d/optout. >> > > -- You received this message because you are subscribed to the Google Groups "Project Jupyter" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jupyter/50fee32e-4b4c-4482-bd88-0c1ffed3e5c9%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
