Merge pull request #3380 from takluyver/i3365

Don't clear login cookie on requests without cookie
jupyter · Mar 5, 2018 · f00215b · f00215b
2 parents 95a8340 + 6197248
commit f00215b
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/notebook/auth/login.py b/notebook/auth/login.py
@@ -175,8 +175,12 @@ def get_user(cls, handler):
             # Used in is_token_authenticated above.
             handler._token_authenticated = True
         if user_id is None:
-            # prevent extra Invalid cookie sig warnings:
-            handler.clear_login_cookie()
+            # If an invalid cookie was sent, clear it to prevent unnecessary
+            # extra warnings. But don't do this on a request with *no* cookie,
+            # because that can erroneously log you out (see gh-3365)
+            if handler.get_cookie(handler.cookie_name) is not None:
+                handler.log.warning("Clearing invalid/expired login cookie %s", handler.cookie_name)
+                handler.clear_login_cookie()
             if not handler.login_available:
                 # Completely insecure! No authentication at all.
                 # No need to warn here, though; validate_security will have already done that.