403 : Forbidden XSRF cookie does not match POST argument

[krzysztof-kuba-finqbit]

Bug description

Hi! I have successfully set up the JupyterHub on top of kubernetes. However, when I enable Native Authentication, and try to sign up as a new user, I get the error: 403 : Forbidden XSRF cookie does not match POST argument.

I also reported the same issue here: #289

How to reproduce

There is the basic configuration of hub using Helm config.yaml file:

hub:
    config:
        JupyterHub:
            authenticator_class: native
      NativeAuthenticator:
            open_signup: true

My personal set up

• Helm chart version: 4.3.11
• JupyterHub is served over HTTPS
• Ingress is set-up by cloud provider, not by config.yaml file

Here are some relevant logs:

Logs

[I 2025-11-22 13:55:38.478 JupyterHub _xsrf_utils:130] Setting new xsrf cookie for b'None:<cookie_1>=' {'path': '/hub/', 'max_age': 3600}

[I 2025-11-22 13:55:38.494 JupyterHub log:192] 200 GET /hub/signup (@::ffff:<some_numbers_here>) 16.94ms

[I 2025-11-22 13:55:54.403 JupyterHub _xsrf_utils:130] Setting new xsrf cookie for b'<cookie_2>' {'path': '/hub/', 'max_age': 3600}

[W 2025-11-22 13:55:54.403 JupyterHub web:1932] 403 POST /hub/signup (::ffff:<some_numbers_here>): XSRF cookie does not match POST argument

[W 2025-11-22 13:55:54.436 JupyterHub log:192] 403 POST /hub/signup (@::ffff:<some_numbers_here>) 33.57ms

I cannot figure out any more relevant information. I tried to migrate to other Helm Chart versions, setting JuputerHub: trusted_downstream_ips: [] and some configuration with JupyterHub: tornado_settings: in config.yaml file and deleting browser cookies, but nothing worked. Weirdly enough, Dummy Authentication and Google Authetnication work just fine.

Thanks for help in advance!!!

[ampx-mg]

Have you tried restarting the proxy pod? I think I remember having similar issue and restarting the pod helped

[krzysztof-kuba-finqbit]

Hi! Thanks for the reply. Unfortunetely, restarting the proxy and hub pods does not solve the issue.

[consideRatio]

I think this may be related to nativeauthenticator not being updated to work well with modern versions of jupyterhub - I am not sure though.

[krzysztof-kuba-finqbit]

I was thinking the same, because it is weird that basic functions do not work, that's why I posted the issue.

[ampx-mg]

We are using NativeAuthenticator with the latest helm chart and it works without issues, however as I mentioned restarting the proxy pod helped, so unfortunately I dont have any more insights

[krzysztof-kuba-finqbit]

And how to you restart the pod? Is it sufficient to just delete it, so it automatically renews? Or is there a better way to do so? Do you also restart the kubernetes services assosiated with the pod (i.e proxy-public and proxy-api) ?

[ampx-mg]

I just deleted it to be recreated anew, but I am not saying this will solve your problem, it very well may be different issue

[krzysztof-kuba-finqbit]

Okay, thank you very much! As I said, just deleting the pod unfortunetely does not solve the issue:(

[krzysztof-kuba-finqbit]

@ampx-mg Can I ask You one more question? What Ingress are You using? Are you serving JupyterHub over HTTP or HTTPS with SLL/TLS certificates?

[manics]

Can you try following these troubleshooting suggestions (proxy_set_header, and JUPYTERHUB_XSRF_ANONYMOUS_IP_CIDRS)?
https://jupyterhub.readthedocs.io/en/stable/faq/troubleshooting.html#i-m-seeing-403-forbidden-xsrf-cookie-does-not-match-post-when-users-try-to-login

[krzysztof-kuba-finqbit]

I do not have nginx, so I tried to set up similar corresponding commands to proxy_set_header in the ingress in my cloud provider. I also set:

hub:
   extraEnv:
    JUPYTERHUB_XSRF_ANONYMOUS_IP_CIDRS:
      value: "0.0.0.0/0"

in config.yaml. But it did not help. Strange thing that I noticed is that somtimes I can sign-up as a new user, but then I cannot log-in, due to wrong username or password, despite the setting: open_signup: true in NativeAuthenticator. Trying to setup a new user after that results in the 403 : Forbidden XSRF cookie does not match POST argument error. I also noticed, the warining in the hub's pod:

[W 2025-11-26 10:59:50.466 JupyterHub auth:38]
    The shared database session at Authenticator.db is deprecated, and will be removed.
    Please manage your own database and connections.

    Contact JupyterHub at https://github.com/jupyterhub/jupyterhub/issues/3700
    if you have questions or ideas about direct database needs for your Authenticator.

Despite the fact that I already configured the external database with Google authentication method.
Thanks a lot for your help so far!

[manics]

It must be a NativeAuthenticator problem then, I've transferred the issue