Secured cookie settings for IPython (Tornado)
546 views
Skip to first unread message
Stas Vonholsky
Mar 17, 2016, 7:31:00 AM3/17/16
to Project Jupyter
Hi All,
I'm deploying an IPython server and need to harden some settings around cookie handling.
Requirements:
Set the HttpOnly Flag. The HttpOnly flag restricts read access to the cookie from scripts on the page.
Set the Secure Flag. The Secure flag should be set for web applications being served over SSL. It indicates to the browser that the cookie should only be sent via encrypted channels.
Ensure that Old Sessions Expire. All sessions should be cleared from the server after a period of inactivity has been reached. Typically 15 to 20 minutes of inactivity is long enough to allow sessions to stay inactive.
Requirements:
Set the HttpOnly Flag. The HttpOnly flag restricts read access to the cookie from scripts on the page.
Set the Secure Flag. The Secure flag should be set for web applications being served over SSL. It indicates to the browser that the cookie should only be sent via encrypted channels.
Ensure that Old Sessions Expire. All sessions should be cleared from the server after a period of inactivity has been reached. Typically 15 to 20 minutes of inactivity is long enough to allow sessions to stay inactive.
I'm using IPython 3.2.1. The Torando version is 4.2.1.
The Tornado docs have a "
set_secure_cookie" option and a "max_age_days" property.http://www.tornadoweb.org/en/stable/guide/security.html?highlight=cookie
I've noticed that in version 3.X one can set custom SSL options for the tornado server with NotebookApp.ssl_options.
Some cookie settings were mentioned here:
https://ipython.org/ipython-doc/3/config/options/notebook.html
https://ipython.org/ipython-doc/3/config/options/notebook.html
I didn't find what I was looking for. Nothing in the new docs as well.
Many thanks,
Stas
MinRK
Mar 18, 2016, 8:55:33 AM3/18/16
to jup...@googlegroups.com
On Thu, Mar 17, 2016 at 12:30 PM, Stas Vonholsky <stas....@gmail.com> wrote:
Hi All,I'm deploying an IPython server and need to harden some settings around cookie handling.
Requirements:
Set the HttpOnly Flag. The HttpOnly flag restricts read access to the cookie from scripts on the page.
We don’t expose the ability to set this flag, but I’ve opened a PR to expose all of the set_secure_cookie options via configuration.
Set the Secure Flag. The Secure flag should be set for web applications being served over SSL. It indicates to the browser that the cookie should only be sent via encrypted channels.
We do already set the secure flag if the notebook is accessed over https.
Ensure that Old Sessions Expire. All sessions should be cleared from the server after a period of inactivity has been reached. Typically 15 to 20 minutes of inactivity is long enough to allow sessions to stay inactive.
This one’s harder. We don’t track a ‘period of activity’. Cookies can have a max age (expires_days), which you can set with the cookie_options flags in the above PR, but there is no way to identify that a user has been idle for 20 minutes at this point.
-MinRK
Can I pass some of these requirement through the IPython config ? Do I need to edit the Tornado config files directly ?I'm running it from the jupyter/notebook Docker with Ubuntu 14.04.
I'm using IPython 3.2.1. The Torando version is 4.2.1.I've noticed some options on the Tornado server docs that should take care of the expiry of old sessions.
The Tornado docs have a "set_secure_cookie" option and a"max_age_days"property.
http://www.tornadoweb.org/en/stable/guide/security.html?highlight=cookie
I've noticed that in version 3.X one can set custom SSL options for the tornado server with NotebookApp.ssl_options.Can this help with the above requirements ?Some cookie settings were mentioned here:
https://ipython.org/ipython-doc/3/config/options/notebook.htmlI didn't find what I was looking for. Nothing in the new docs as well.Many thanks,Stas
--
You received this message because you are subscribed to the Google Groups "Project Jupyter" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jupyter+u...@googlegroups.com.
To post to this group, send email to jup...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jupyter/aa662898-79d4-4ea6-a3ac-caf299d345f3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Stas Vonholsky
Mar 18, 2016, 9:48:29 AM3/18/16
to Project Jupyter
Thanks MinRK! That's very useful (that's the only thing left on my security check list)
Stas Vonholsky
Mar 31, 2016, 7:12:05 AM3/31/16
to Project Jupyter
MinRK, thanks again for the PR.
I saw that the HTTP only is configured by default.--NotebookApp.password="$HASH"
Would that be something like:
max_age_days=1" ?On Friday, March 18, 2016 at 12:55:33 PM UTC, Min RK wrote:
Stas Vonholsky
Mar 31, 2016, 4:11:57 PM3/31/16
to Project Jupyter
Got it.
--NotebookApp.cookie_options="{\"expires_days\" : 1}"
or
--NotebookApp.cookie_options="{\"expires_days\" : 0.04}"
for around an hour.
Thanks again!
--NotebookApp.cookie_options="{\"expires_days\" : 1}"
or
--NotebookApp.cookie_options="{\"expires_days\" : 0.04}"
for around an hour.
Thanks again!
Reply all
Reply to author
Forward
0 new messages