I believe the use case and patterns for JupyterHub vs notebook could be sufficiently different that we may want to look more into details. IMHO having a set cookie to login to a notebook seem reasonable, as users often only use it on localhost, and once you are logged-in you want your login status to persist during notebook restart (which can be quite often). For Hub, as Hub is an intermediary that is likely up for long period of time, having 1 cookie/client that are revokable does make more sens from the security point of view.
I would bring this discussion to the Hub tracker (and it may be that the hub does that already). -- M On 22 January 2018 at 00:07, Roland Weber <[email protected]> wrote: > On Saturday, January 20, 2018 at 12:08:16 AM UTC+1, Lawrence D’Oliveiro > wrote: >> >> Surely it’s the other way round, the usual practice being to maintain a >> store of *valid* tokens, with a finite lifetime attached to each >> (perhaps reset when they get presented again). The tokens get deleted >> either on explicit logout or implicitly on lifetime expiry. Anything that >> isn’t currently recognized from the store entries is invalid. >> > > Nope, that would require a central store of tokens. In single sign-on > environments, or with more complex authentication schemes like OAuth, web > servers have to accept tokens that were issued elsewhere. They don't know > about a token until it is presented to them. > > -- > You received this message because you are subscribed to the Google Groups > "Project Jupyter" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit https://groups.google.com/d/ > msgid/jupyter/774bf08b-89ef-486f-9466-3c5aaae2f7d6%40googlegroups.com > <https://groups.google.com/d/msgid/jupyter/774bf08b-89ef-486f-9466-3c5aaae2f7d6%40googlegroups.com?utm_medium=email&utm_source=footer> > . > > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Project Jupyter" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jupyter/CANJQusXiiHQoSQqTm8WN0hpGBDvKwbTw5hMEqkV%3D73Xm1U5LMg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
