From 61972480b9c48b41c0d5a42c100e86bdd1456740 Mon Sep 17 00:00:00 2001 From: Thomas Kluyver Date: Tue, 27 Feb 2018 13:33:12 +0000 Subject: [PATCH] Don't clear login cookie on requests without cookie Clearing the secure cookie makes sense when it is invalid or expired, but clearing it when it's not sent with a request can unexpectedly log the user out. I ran into this with misconstructed URLs which didn't incorporate base_url. That was itself a bug, but the result of suddenly being unauthenticated makes it harder to track down. Closes gh-3365 (hopefully) Possibly also relevant to gh-2396 I'm not sure why this seems to affect Firefox more than Chrome. --- notebook/auth/login.py | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/notebook/auth/login.py b/notebook/auth/login.py index 0f37260a20..eb96263e50 100644 --- a/notebook/auth/login.py +++ b/notebook/auth/login.py @@ -175,8 +175,12 @@ def get_user(cls, handler): # Used in is_token_authenticated above. handler._token_authenticated = True if user_id is None: - # prevent extra Invalid cookie sig warnings: - handler.clear_login_cookie() + # If an invalid cookie was sent, clear it to prevent unnecessary + # extra warnings. But don't do this on a request with *no* cookie, + # because that can erroneously log you out (see gh-3365) + if handler.get_cookie(handler.cookie_name) is not None: + handler.log.warning("Clearing invalid/expired login cookie %s", handler.cookie_name) + handler.clear_login_cookie() if not handler.login_available: # Completely insecure! No authentication at all. # No need to warn here, though; validate_security will have already done that.