set_secure_cookie" option and a "max_age_days" property.Can this help with the above requirements ?On Thu, Mar 17, 2016 at 12:30 PM, Stas Vonholsky <stas....@gmail.com> wrote:
Hi All,I'm deploying an IPython server and need to harden some settings around cookie handling.
Requirements:
Set the HttpOnly Flag. The HttpOnly flag restricts read access to the cookie from scripts on the page.
We don’t expose the ability to set this flag, but I’ve opened a PR to expose all of the set_secure_cookie options via configuration.
Set the Secure Flag. The Secure flag should be set for web applications being served over SSL. It indicates to the browser that the cookie should only be sent via encrypted channels.
We do already set the secure flag if the notebook is accessed over https.
Ensure that Old Sessions Expire. All sessions should be cleared from the server after a period of inactivity has been reached. Typically 15 to 20 minutes of inactivity is long enough to allow sessions to stay inactive.
This one’s harder. We don’t track a ‘period of activity’. Cookies can have a max age (expires_days), which you can set with the cookie_options flags in the above PR, but there is no way to identify that a user has been idle for 20 minutes at this point.
-MinRK
Can I pass some of these requirement through the IPython config ? Do I need to edit the Tornado config files directly ?I'm running it from the jupyter/notebook Docker with Ubuntu 14.04.
I'm using IPython 3.2.1. The Torando version is 4.2.1.I've noticed some options on the Tornado server docs that should take care of the expiry of old sessions.
The Tornado docs have a "set_secure_cookie" option and a"max_age_days"property.
http://www.tornadoweb.org/en/stable/guide/security.html?highlight=cookie
I've noticed that in version 3.X one can set custom SSL options for the tornado server with NotebookApp.ssl_options.Can this help with the above requirements ?Some cookie settings were mentioned here:
https://ipython.org/ipython-doc/3/config/options/notebook.htmlI didn't find what I was looking for. Nothing in the new docs as well.Many thanks,Stas
--
You received this message because you are subscribed to the Google Groups "Project Jupyter" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jupyter+u...@googlegroups.com.
To post to this group, send email to jup...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jupyter/aa662898-79d4-4ea6-a3ac-caf299d345f3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
max_age_days=1" ?