Per Tornado's documentation:
>By default, Tornado’s secure cookies expire after 30 days.
>To change this, use the expires_days keyword argument to
>set_secure_cookie and the max_age_days argument to get_secure_cookie.
>These two values are passed separately so that you may
>e.g. have a cookie that is valid for 30 days for most purposes,
>but for certain sensitive actions
>(such as changing billing information)
>you use a smaller max_age_days when reading the cookie.
With the current implementation in `auth/login.py`,
this is possible to pass the `expires_days` option
but not possible to enforce it as this is not possible
to pass `max_age_days` to `get_secure_cookie`
This makes impossible to set the cookie expiration without
using a custom `LoginHandler`.
This revision is about adding the possibility to pass options
to Tornado's `get_secure_cookie` method,
so it can be possible to set the cookies expiration,
among others.
This commit introduces a new alias `custom_display_url` to override the
URL info displayed at launch with a custom string.
It is intended to be used when the app is run in an environment where
the url to display to the users is not detectable reliably (proxified or
containerized setups for example).
Noticed in test output that creating HMAC without digestmod arg is deprecated.
While there, use proper length of 32 bytes for default tornado cookie_secret. There’s no benefit to using a cookie secret that's longer that the cookie digest size, which is 32 bytes.
* Add support for terminals on Windows
* Bump terminado requirement
* Fix handling of default shell
* Fix appveyor syntax
* Fix requires syntax
* Fix version target
* Clean up handling of default shell and update version check
* Always require terminado
* Clean up appveyor test
* Make the terminado warning uniform
* Default to powershell on Windows
* Clean up terminado verison
Currently changing the password does not revoke current session:
- jupyter notebook password <password1>
- jupyter notebook
- Logging in
- Kill server
- jupyter notebook password <other password>
- jupyter notebook
- Oh ! I'm still logged in.
With this, as the "effective" secret depends on the (hashed) password,
changing it void any existing session (which I believe is the goal of
most password change)
Signals don't work on Windows. This tries the HTTP shutdown request first.
On Unix, it will try SIGTERM after 5 seconds, and SIGKILL after another 5, if the
server didn't already exit.
Closes gh-2937
Min RK
Maitiu O Ciarain
Denis Ledoux
Thomas Kluyver
Tom Jorquera
Vít Tuček
Thomas Kluyver
Grant Nestor
Evan Van Dam
Shiti Saxena
Steven Silvester
bacboc
Matthias Bussonnier