I spent some time digging into Spring to see how it is handled. They have a PersistentTokenBasedRememberMeServices class. It generally follows this standard approach http://jaspan.com/improved_persistent_login_cookie_best_practice. The article was a very interesting read and I think it may be applicable to this issue.
On Monday, January 22, 2018 at 8:04:18 AM UTC-8, Matthias Bussonnier wrote: > > I believe the use case and patterns for JupyterHub vs notebook could be > sufficiently different that we may want to look more into details. > IMHO having a set cookie to login to a notebook seem reasonable, as users > often only use it on localhost, and once you are logged-in you want your > login status to persist during notebook restart (which can be quite often). > For Hub, as Hub is an intermediary that is likely up for long period of > time, having 1 cookie/client that are revokable does make more sens from > the security point of view. > > I would bring this discussion to the Hub tracker (and it may be that the > hub does that already). > -- > M > > On 22 January 2018 at 00:07, Roland Weber <[email protected] > <javascript:>> wrote: > >> On Saturday, January 20, 2018 at 12:08:16 AM UTC+1, Lawrence D’Oliveiro >> wrote: >>> >>> Surely it’s the other way round, the usual practice being to maintain a >>> store of *valid* tokens, with a finite lifetime attached to each >>> (perhaps reset when they get presented again). The tokens get deleted >>> either on explicit logout or implicitly on lifetime expiry. Anything that >>> isn’t currently recognized from the store entries is invalid. >>> >> >> Nope, that would require a central store of tokens. In single sign-on >> environments, or with more complex authentication schemes like OAuth, web >> servers have to accept tokens that were issued elsewhere. They don't know >> about a token until it is presented to them. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Project Jupyter" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To post to this group, send email to [email protected] >> <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/jupyter/774bf08b-89ef-486f-9466-3c5aaae2f7d6%40googlegroups.com >> >> <https://groups.google.com/d/msgid/jupyter/774bf08b-89ef-486f-9466-3c5aaae2f7d6%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> >> For more options, visit https://groups.google.com/d/optout. >> > > -- You received this message because you are subscribed to the Google Groups "Project Jupyter" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jupyter/447ce217-8383-4a78-b583-85cc33196483%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
