From 417b17450e7772a99c92c883083e9148bcaa0112 Mon Sep 17 00:00:00 2001
From: Min RK <benjaminrk@gmail.com>
Date: Fri, 18 Mar 2016 13:46:29 +0100
Subject: [PATCH 1/2] Add `cookie_options` to make cookie args configurable

---
 notebook/auth/login.py  | 9 ++++-----
 notebook/notebookapp.py | 5 +++++
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/notebook/auth/login.py b/notebook/auth/login.py
index 759d86bc7d..9bceba8296 100644
--- a/notebook/auth/login.py
+++ b/notebook/auth/login.py
@@ -39,15 +39,14 @@ def hashed_password(self):
 
     def post(self):
         typed_password = self.get_argument('password', default=u'')
+        cookie_options = self.settings.get('cookie_options', {})
         if self.login_available(self.settings):
             if passwd_check(self.hashed_password, typed_password):
-                # tornado <4.2 have a bug that consider secure==True as soon as
+                # tornado <4.2 has a bug that considers secure==True as soon as
                 # 'secure' kwarg is passed to set_secure_cookie
                 if self.settings.get('secure_cookie', self.request.protocol == 'https'):
-                    kwargs = {'secure': True}
-                else:
-                    kwargs = {}
-                self.set_secure_cookie(self.cookie_name, str(uuid.uuid4()), **kwargs)
+                    cookie_options.setdefault('secure', True)
+                self.set_secure_cookie(self.cookie_name, str(uuid.uuid4()), **cookie_options)
             else:
                 self.set_status(401)
                 self._render(message={'error': 'Invalid password'})
diff --git a/notebook/notebookapp.py b/notebook/notebookapp.py
index 48deca9fc8..e4eaa3e4a6 100644
--- a/notebook/notebookapp.py
+++ b/notebook/notebookapp.py
@@ -617,6 +617,10 @@ def _webapp_settings_changed(self, name, old, new):
             help="Supply overrides for the tornado.web.Application that the "
                  "Jupyter notebook uses.")
     
+    cookie_options = Dict(config=True,
+        help="Extra keyword arguments to pass to `set_secure_cookie`."
+             " See tornado's set_secure_cookie docs for details."
+    )
     ssl_options = Dict(config=True,
             help="""Supply SSL options for the tornado HTTPServer.
             See the tornado docs for details.""")
@@ -934,6 +938,7 @@ def init_webapp(self):
         if self.allow_origin_pat:
             self.tornado_settings['allow_origin_pat'] = re.compile(self.allow_origin_pat)
         self.tornado_settings['allow_credentials'] = self.allow_credentials
+        self.tornado_settings['cookie_options'] = self.cookie_options
         # ensure default_url starts with base_url
         if not self.default_url.startswith(self.base_url):
             self.default_url = url_path_join(self.base_url, self.default_url)

From 07c4d23cadb6f817fed890579bde05005c5ab4a7 Mon Sep 17 00:00:00 2001
From: Min RK <benjaminrk@gmail.com>
Date: Fri, 18 Mar 2016 13:48:00 +0100
Subject: [PATCH 2/2] make cookies httponly by default

we don't need or want cookie access in js
---
 notebook/auth/login.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/notebook/auth/login.py b/notebook/auth/login.py
index 9bceba8296..24ac954ca2 100644
--- a/notebook/auth/login.py
+++ b/notebook/auth/login.py
@@ -40,6 +40,7 @@ def hashed_password(self):
     def post(self):
         typed_password = self.get_argument('password', default=u'')
         cookie_options = self.settings.get('cookie_options', {})
+        cookie_options.setdefault('httponly', True)
         if self.login_available(self.settings):
             if passwd_check(self.hashed_password, typed_password):
                 # tornado <4.2 has a bug that considers secure==True as soon as