notebook icon indicating copy to clipboard operation
notebook copied to clipboard

Published 20 hours ago verified publisher icon jupyter

NotebookApp Error unpacking user from cookie

Open ggrrll opened this issue 2 years ago • 14 comments
trafficstars

Describe the bug/ To Reproduce

🚫 When I launch notebook from terminal, it keeps giving forbidden error, when trying to save (in the title, the error message in console, with many 403 warnings)

✅ it works fine though if I launch classical notebook from jupyter lab

Desktop (please complete the following information):

  • OS: macOS 13.0
  • Browser: brave, safari

some relevant packages from my pip freeze

ipykernel==6.20.2
ipython==8.8.0
ipython-genutils==0.2.0

jupyter==1.0.0
jupyter-console==6.4.4
jupyter-contrib-core==0.3.3
jupyter-contrib-nbextensions==0.5.1
jupyter-events==0.6.3
jupyter-highlight-selected-word==0.2.0
jupyter-latex-envs==1.4.6
jupyter-nbextensions-configurator==0.4.1
jupyter-server-mathjax==0.2.6
jupyter_client==7.4.9
jupyter_core==5.1.3
jupyter_server==2.1.0
jupyter_server_terminals==0.4.4
jupyterlab-pygments==0.2.2
jupyterlab-widgets==1.1.1
jupyterlab_server==2.19.0
jupyterlab==3.5.2

ggrrll avatar Jan 19 '23 14:01 ggrrll

Hi @ggrrll thank you for submitting this issue. Are you running from a directory where you have the needed permissions? Does this issue come up if you run from a different directory?

RRosio avatar Jan 19 '23 19:01 RRosio

yes, I didn't have problems actually last week (also, I do not have issues with jupyter lab) ... the only thing it changed in the meantime, as far as I can see, it's the installation of jupyter lab indeed

ggrrll avatar Jan 20 '23 08:01 ggrrll

I also started to observe this behaviour, though I do not know what changed in my environment. I am on macOS 13.1, with latest Chrome. I start the jupyter notebook server via the terminal from my home directory as always, which then automatically launches the browser on the jupyter notebook file browser page. I can then successfully open a notebook, but just a few seconds later, it stopps working ("forbidden"). If I refresh the file browser page, it asks me for the token. I can enter the token, which will successfully forward me then to the file browser page. However, after a short time, the same behaviour repeats. Here is a log sequence:

[I 10:51:18.092 NotebookApp] 302 GET /tree(::1) 0.880000ms
[I 10:51:25.358 NotebookApp] 302 POST /login?next=%2Ftree(::1) 0.450000ms
[I 10:51:33.971 NotebookApp] Starting buffering for 5573df50-2df6-4ee0-b765-3e33b1dba59e:5647864a30654db5996e976155e05961
[W 10:51:34.234 NotebookApp] 404 GET /nbextensions/itkwidgets/extension.js?v=20230123103457 (::1) 1.080000ms referer=http://localhost:8888/notebooks/test.ipynb
[W 10:51:34.234 NotebookApp] 404 GET /nbextensions/k3d.js?v=20230123103457 (::1) 1.000000ms referer=http://localhost:8888/notebooks/test.ipynb
[W 10:51:34.235 NotebookApp] 404 GET /nbextensions/k3d/extension.js?v=20230123103457 (::1) 0.420000ms referer=http://localhost:8888/notebooks/test.ipynb
[W 10:51:35.309 NotebookApp] 404 GET /nbextensions/widgets/notebook/js/extension.js?v=20230123103457 (::1) 0.670000ms referer=http://localhost:8888/notebooks/test.ipynb
[E 10:51:35.318 NotebookApp] Error unpacking user from cookie: Extra data: line 1 column 4 (char 3)
[W 10:51:35.318 NotebookApp] Clearing invalid/expired login cookie username-localhost-8888
[W 10:51:35.318 NotebookApp] 403 POST /nbdime/api/isgit (::1) 0.520000ms referer=http://localhost:8888/notebooks/test.ipynb
[W 10:51:35.404 NotebookApp] Forbidden

The Cookie sent with one of the requests in this sequence looks as follows:

_xsrf=2|f9f65056|e080112f10d8f97a6e89c2d3346e811d|1674467478; username-localhost-8888="2|1:0|10:1674467485|23:username-localhost-8888|44:MzM0YmMyZGI5MzE3NGQ2NDhjZjBiNzI0MjExMGE1Yjg=|009cfe582cb0223f2dd093202edef9ad82cce34ba58f994d71033a5d1619c387"

burnpanck avatar Jan 23 '23 09:01 burnpanck

might be related to #2396

ggrrll avatar Jan 23 '23 15:01 ggrrll

btw, this issue seems to be affecting also other tool, like nbdiff-web (https://nbdime.readthedocs.io) hereby the console error

[E web:1798] Uncaught exception GET /difftool (127.0.0.1)
HTTPServerRequest(protocol='http', host='127.0.0.1:52958', method='GET', uri='/difftool', version='HTTP/1.1', remote_ip='127.0.0.1')
Traceback (most recent call last):
  File "/usr/local/lib/python3.9/site-packages/tornado/web.py", line 1692, in _execute
    result = await result
  File "/usr/local/lib/python3.9/site-packages/jupyter_server/base/handlers.py", line 608, in prepare
    _user = await _user
  File "/usr/local/lib/python3.9/site-packages/jupyter_server/auth/identity.py", line 241, in _get_user
    _cookie_user = self.get_user_cookie(handler)
  File "/usr/local/lib/python3.9/site-packages/jupyter_server/auth/identity.py", line 399, in get_user_cookie
    _user_cookie = handler.get_secure_cookie(
  File "/usr/local/lib/python3.9/site-packages/tornado/web.py", line 773, in get_secure_cookie
    self.require_setting("cookie_secret", "secure cookies")
  File "/usr/local/lib/python3.9/site-packages/tornado/web.py", line 1592, in require_setting
    raise Exception(
Exception: You must define the 'cookie_secret' setting in your application to use secure cookies
[E web:1221] Uncaught exception in write_error
Traceback (most recent call last):
  File "/usr/local/lib/python3.9/site-packages/tornado/web.py", line 1692, in _execute
    result = await result
  File "/usr/local/lib/python3.9/site-packages/jupyter_server/base/handlers.py", line 608, in prepare
    _user = await _user
  File "/usr/local/lib/python3.9/site-packages/jupyter_server/auth/identity.py", line 241, in _get_user
    _cookie_user = self.get_user_cookie(handler)
  File "/usr/local/lib/python3.9/site-packages/jupyter_server/auth/identity.py", line 399, in get_user_cookie
    _user_cookie = handler.get_secure_cookie(
  File "/usr/local/lib/python3.9/site-packages/tornado/web.py", line 773, in get_secure_cookie
    self.require_setting("cookie_secret", "secure cookies")
  File "/usr/local/lib/python3.9/site-packages/tornado/web.py", line 1592, in require_setting
    raise Exception(
Exception: You must define the 'cookie_secret' setting in your application to use secure cookies

ggrrll avatar Jan 23 '23 15:01 ggrrll

Not sure this is related to #2396. That thread is overflowing with people not having the right user permissions for the folder they are trying to access. Mine are correct. Also, just disabling token verification is definitely not a solution. On the other hand, #5492 does seem related. Following their thread, I downgraded my jupyter_server package from 2.0.1 to 1.23.5 (i.e. the latest satisfying jupyter_server<2). Now, everything appears to work as expected again. I conclude then that the recent version change did break something.

burnpanck avatar Jan 23 '23 17:01 burnpanck

yeah...indeed probably related to https://github.com/jupyter-server/jupyter_server/issues/1038

and yes, downgrading works for me too

ggrrll avatar Jan 23 '23 17:01 ggrrll

Are there any suggested workarounds for this at the moment, e.g. downgrade juptyer, or...?

I would love to be able to edit one of my notebooks right now, but this error is preventing it:

[E 15:52:41.105 NotebookApp] Error unpacking user from cookie: Extra data: line 1 column 4 (char 3)
[W 15:52:41.105 NotebookApp] Clearing invalid/expired login cookie username-localhost-8888

And then I get a window showing "Connection Failed": Screen Shot 2023-02-01 at 4 00 26 PM

I do have write permission in the directory - it's my laptop.

Version info:

$ pip list | grep jupyter
jupyter                           1.0.0
jupyter-book                      0.13.1
jupyter-cache                     0.4.3
jupyter_client                    7.4.9
jupyter-console                   6.4.4
jupyter-contrib-core              0.4.2
jupyter_core                      5.1.3
jupyter-events                    0.6.3
jupyter-nbextensions-configurator 0.6.1
jupyter_server                    2.1.0
jupyter-server-mathjax            0.2.6
jupyter_server_terminals          0.4.4
jupyter-sphinx                    0.3.2
jupyterlab-pygments               0.2.2
jupyterlab-widgets                1.1.1
sphinx-jupyterbook-latex          0.4.7

$ python --version
Python 3.10.9

$ pip list | grep ^nb
nbclassic                         0.4.8
nbclient                          0.5.13
nbconvert                         6.5.4
nbdev                             2.3.9
nbdime                            3.1.1
nbformat                          5.7.3

MacOS 12.3

This happens for all notebooks I try to open (which I used to be able to open), not just a particular notebook.

I am running the exact jupyter that corresponds with my current Python environment.

drscotthawley avatar Feb 01 '23 22:02 drscotthawley

Update: Found a workaround via this StackExchange answer:

Running

pip install --upgrade 'jupyter-server<2.0.0'

fixed the problem, without changing anything else. :-)

drscotthawley avatar Feb 01 '23 22:02 drscotthawley

Here is some log output that was resulted from this issue:

[E 19:41:41.186 NotebookApp] Error unpacking user from cookie: Extra data: line 1 column 2 (char 1)
[W 19:41:41.186 NotebookApp] Clearing invalid/expired login cookie username-192-168-0-10-8888

How to reproduce:

  • Latest jupyter-notebook (jupyter-notebook 6.5.3-1 on Arch Linux as of now)
  • Have password login instead of token.

~/.jupyter/jupyter_notebook_config.json:

{
  "NotebookApp": {
    "password": "argon2:$a<snip>"
  }
}
  • Proper file read/write/execute permission set. Can create files in the browser.
  • Open the :8888 server page, login normally. This works as expected and does not kick me out.
  • Create notebook
  • Open it
  • Above log messages occur as soon as the page loads. If you open an existing/running notebook, same will occur.
  • Kernel disconnects, shows Forbidden.
  • Refresh, shows login page again. Login again, and it loads the notebook. Instantly kicks out with same error.

Problematic cookie example:

"username-192-168-0-10-8888" = "2|1:0|10:1678285174|26:username-192-168-0-10-8888|44:ZjgwNDY3OGY1NWE2NDNiYWJhYjE0YzQzZGFmNzk2ZDY=|700d01ee58758b6ce2239f56d06e27bdc0689e083d9abd0ed85dc01d159749bc" (Not sure if any sensitive data is there in this, tell me please, I'll remove it straight away)

nb-programmer avatar Mar 08 '23 14:03 nb-programmer

I have encountered the same issue as described on previous comments and solved it by using the workaround of downgrading 'jupyter-server' to version 1.23.4

TheCrescentKing avatar Jun 06 '23 14:06 TheCrescentKing

Is there any workaround that doesn't involve downgrading jupyter-server? Jupyter-server has a vulnerability, and we are getting flagged that we need to upgrade to at least jupyter-server>=2.11.2

xinyi-joffre avatar Jan 19 '24 01:01 xinyi-joffre

Downgrading did not solve it for me. I still keep getting:

[W 2024-02-23 16:01:38.253 ServerApp] wrote error: 'Forbidden'
[W 2024-02-23 16:01:38.254 ServerApp] 403 GET /api/sessions?1708700498223 (127.0.0.1) 2.85ms referer=None

is there anyother fix?

lappemic avatar Feb 23 '24 15:02 lappemic

I am also having the same problem. when running jupyter-lab I get a stack trace as well:

[W 2024-03-22 10:07:48.569 ServerApp] 403 GET /api/kernels?1711116468549 (@127.0.0.1) 1.40ms referer=None
[W 2024-03-22 10:07:48.569 ServerApp] wrote error: 'Forbidden'
    Traceback (most recent call last):
      File "/Users/pweinberg/Documents/atom_compiler_dev/flair-python/.venv/lib/python3.11/site-packages/tornado/web.py", line 1788, in _execute
        result = method(*self.path_args, **self.path_kwargs)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
      File "/Users/pweinberg/Documents/atom_compiler_dev/flair-python/.venv/lib/python3.11/site-packages/tornado/web.py", line 3289, in wrapper
        url = self.get_login_url()
              ^^^^^^^^^^^^^^^^^^^^
      File "/Users/pweinberg/Documents/atom_compiler_dev/flair-python/.venv/lib/python3.11/site-packages/jupyter_server/base/handlers.py", line 782, in get_login_url
        raise web.HTTPError(403)
    tornado.web.HTTPError: HTTP 403: Forbidden

Note sure if this is helpful at all.

weinbe58 avatar Mar 22 '24 14:03 weinbe58