Enable `__Host-` "domain-locked" cookies when using subdomains
minrk opened this issue · comments
Proposed change
__Host-
prefixed cookies offer some enhanced protection. They come with restrictions that:
- they are set with Secure (requires HTTPS)
- the have
path=/
(can't be used without user subdomains) - they do not have a domain set (i.e. cannot be shared by subdomains)
This means we can't use them for JupyterHub cookies except for deployments using subdomains and HTTPS, but when a deployment uses subdomains and HTTPS, they could further benefit from cookie security.
Alternative options
Keep what we have.
Who would use this feature?
Deployments using HTTPS and user subdomains
(Optional): Suggest a solution
Implement a conditional to add the __Host-
prefix to cookies, either its own standalone config or derived from subdomains being enabled + https (arguably subdomains without HTTPS shouldn't exist as an option, but we rely on it for testing!). This would also have to strip the path
prefix from cookie kwargs.
This is available in JupyterHub 4.1