Automatically getting logged out in Firefox

[SteliosStefanatos]

Hi,

My issue is as follows. I work with Jupyter notebook in Firefox (updated Anaconda installation; Ubuntu). Since about two weeks, I keep getting logged out automatically (I don't know if I use the correct term here). What happens is that the automatic save feature will fail (the "Forbidden" sign pops up on the notebook upper right corner) and I cannot save "manually" as well. When I attempt to go the dashboard I get prompted to provide the session token.

The weird thing is that this issue happens randomly during a session. It may appear after hours from starting Jupyter/firefox or even right from the start. Also, when I do provide the token, it often happens that I keep getting logged out right the next second and have to do several attempts till I can have it working.

This issue does not happen when I work on a different browser (chromium).

P.S.: I see similar reports for Firefox here

[takluyver]

That's interesting. I've seen something similar running Selenium tests with Firefox, but I haven't seen it in actual use yet. With the tests, it only seemed to affect Firefox 58, so I told it to install v57 as a workaround. Are you using 58 as well?

Authentication uses cookies, so it could be that something is deleting our authentication cookie. Next time you see this happen, can you open the developer tools, go to the storage tab and check what cookies you see?

[ghost]

I am also using Firefox, v58.0.2 on Fedora 27. When doing as you suggest, when I first open a jupyter notebook from the terminal, I see 2 cookies. The first is named, _xsrf, domain of localhost, expires on session, a value string, httponly of false; the second has a name of username-localhost-8888, domain of localhost, expires in a month, a different value string, and httponly set to true. When I then open any .ipynb from the tree after I login (I use a password), the second cookie always disappears.

Meanwhile, over in Vivaldi (based of chromium) navigating to the stored cookies, both remain. Ideas? Something to do with the httponly setting?

[takluyver]

username-localhost-8888 is our login cookie, so if that disappears, it makes sense that Jupyter would say you're unauthenticated.

We did make some changes to a method that's used to clear the login cookie (#3207). It sounds like you can reproduce the error readily, so could you try commenting out these lines in your local installation, starting a new notebook server and seeing if that makes any difference?

[takluyver]

Sorry, forgot the link. These lines:

notebook/notebook/base/handlers.py

Lines 126 to 131 in 2aac713

	if path and path != '/':
	# also clear cookie on / to ensure old cookies are cleared
	# after the change in path behavior (changed in notebook 5.2.2).
	# N.B. This bypasses the normal cookie handling, which can't update
	# two cookies with the same name. See the method above.
	self.force_clear_cookie(self.cookie_name)

[takluyver]

I've investigated a bit more. Do you have base_url set? That was one way I was able to trigger it. Do you have any Jupyter extensions enabled?

On any request which is missing the cookie, the server's response clears the cookie stored in the browser. The comments indicate that this is to prevent unnecessary warnings:

notebook/notebook/auth/login.py

Lines 178 to 179 in 2aac713

	# prevent extra Invalid cookie sig warnings:
	handler.clear_login_cookie()

However, when the token is scope to a path (base_url), it's easy to make a request outside that scope which won't include the cookie. The server sees that unauthenticated request and erroneously deletes your cookie entirely.

[takluyver]

#3380 fixes the example I could reproduce - could you try that? It's a small change, so it might be easiest to apply it manually to your local installation rather than installing from source (though of course we always welcome people installing from source).

[SteliosStefanatos]

Hi,

Thanks a lot for looking into this!

I also use Firefox v.58.0.2 and have multiple jupyter_contrib_nbextensions enabled, if that's of any help. Note that the issue started appearing around the time I updated the extensions with their latest release, but this may have just been a coincidence, I don't know.

The thing is that I cannot reproduce the issue on demand. It just appears randomly. Today everything seems to work fine.

I am afraid I can't follow the technical details, maybe someone else can.

[takluyver]

That's OK. How often do you see it? If it's reasonably often, you could try applying the change and using it for a few days to see if the problem reappears. If it does, the next step will be trying to figure out if any particular extension causes it.

Random issues are always the trickies to debug, so if you find any way to make it occur reliably, that's useful. You could try running the server with --debug to see what requests are made just before it logs you out, but there are a lot of requests going on, so it might not be all that obvious.

[SteliosStefanatos]

@takluyver

Almost every single day. There was one day I did not see it, thinking that it was "gone", but it returned the following day. Today it went smoothly. I will keep you posted.

Thanks again for your assistance!

[ghost]

#3380 fixes the example I could reproduce - could you try that? It's a small change, so it might be easiest to apply it manually to your local installation rather than installing from source (though of course we always welcome people installing from source).

Going ahead deleting lines 178-179, and changing them to the new lines in the associated git commit in #3380, in my local install of login.py, seems to have rectified the issue for me.

Specifically, commit 6197248 seemingly solved the issue.

I am able to open, edit and save .ipynb files without issue now.

Thanks for looking into it.

[takluyver]

Thanks @BobbyTables42 for confirming that. :-)