Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 5 additions & 5 deletions notebook/auth/login.py
Original file line number Diff line number Diff line change
Expand Up @@ -39,15 +39,15 @@ def hashed_password(self):

def post(self):
typed_password = self.get_argument('password', default=u'')
cookie_options = self.settings.get('cookie_options', {})
cookie_options.setdefault('httponly', True)
if self.login_available(self.settings):
if passwd_check(self.hashed_password, typed_password):
# tornado <4.2 have a bug that consider secure==True as soon as
# tornado <4.2 has a bug that considers secure==True as soon as
# 'secure' kwarg is passed to set_secure_cookie
if self.settings.get('secure_cookie', self.request.protocol == 'https'):
kwargs = {'secure': True}
else:
kwargs = {}
self.set_secure_cookie(self.cookie_name, str(uuid.uuid4()), **kwargs)
cookie_options.setdefault('secure', True)
self.set_secure_cookie(self.cookie_name, str(uuid.uuid4()), **cookie_options)
else:
self.set_status(401)
self._render(message={'error': 'Invalid password'})
Expand Down
5 changes: 5 additions & 0 deletions notebook/notebookapp.py
Original file line number Diff line number Diff line change
Expand Up @@ -617,6 +617,10 @@ def _webapp_settings_changed(self, name, old, new):
help="Supply overrides for the tornado.web.Application that the "
"Jupyter notebook uses.")

cookie_options = Dict(config=True,
help="Extra keyword arguments to pass to `set_secure_cookie`."
" See tornado's set_secure_cookie docs for details."
)
ssl_options = Dict(config=True,
help="""Supply SSL options for the tornado HTTPServer.
See the tornado docs for details.""")
Expand Down Expand Up @@ -934,6 +938,7 @@ def init_webapp(self):
if self.allow_origin_pat:
self.tornado_settings['allow_origin_pat'] = re.compile(self.allow_origin_pat)
self.tornado_settings['allow_credentials'] = self.allow_credentials
self.tornado_settings['cookie_options'] = self.cookie_options
# ensure default_url starts with base_url
if not self.default_url.startswith(self.base_url):
self.default_url = url_path_join(self.base_url, self.default_url)
Expand Down