hydrogen: Remote Kernels: "'_xsrf' argument missing from POST" when token is empty string
Description:
I’ve been working to get Hydrogen running on a remote Python kernel over SSH forwarding. As part of my troubleshooting, I temporarily set c.NotebookApp.token = '' in the jupyter_notebook_config.py file on the server. I was able to connect to the gateway, and able to access already-open jupyter kernels on the server, but was not able to create a new one from within Hydrogen. In the terminal, I saw errors:
[W 23:52:37.455 NotebookApp] 403 POST /api/sessions?1500263557319 (127.0.0.1): '_xsrf' argument missing from POST
[W 23:52:37.457 NotebookApp] 403 POST /api/sessions?1500263557319 (127.0.0.1) 4.09ms referer=None
Eventually, I discovered that this issue goes away when the token is not an empty string. I’m happy to use a token but am opening this issue in case someone wants to not use one when using SSH forwarding.
While debugging I came across this Jupyter blog post with likely some useful information (scroll to “Update: practical effects of xsrf for extensions”).
Steps to Reproduce:
jupyter notebook --generate-config- Change
#c.NotebookApp.token = '<generated>'toc.NotebookApp.token = '' - Set the Kernel Gateways settings inside Atom as:
[{"name":"remote_test", "options":{"baseUrl": "http://localhost:8888", "token": ""}}] - SSH forward:
ssh -L8888:localhost:8888 user@host - Hydrogen: Connect to Remote Kernel > remote_test > [new_session] > Python 3
- In the terminal I see the error reported above. I tried this with the R and Julia kernels as well and none worked.
Versions:
atom --version
Atom : 1.18.0
Electron: 1.3.15
Chrome : 52.0.2743.82
Node : 6.5.0
Logs:
[W 23:52:37.455 NotebookApp] 403 POST /api/sessions?1500263557319 (127.0.0.1): '_xsrf' argument missing from POST
[W 23:52:37.457 NotebookApp] 403 POST /api/sessions?1500263557319 (127.0.0.1) 4.09ms referer=None
About this issue
- Original URL
- State: closed
- Created 7 years ago
- Reactions: 6
- Comments: 37 (5 by maintainers)
For some reason, if I open another notebook in the same kernel, this error goes away and I’m allowed to save…
Hi, I also encountered this issue, the solution was to refresh the localhost page, which then will ask you for a password or token to log in. Follow the instructions on the screen to get the access back to your notebook.
I am facing a similar issue with Jupyter notebook where suddenly I get Autosave failed with ‘_xsrf’ argument missing from the post. This is so frustrating as I have a lot of unsaved changes.
Edit: Setting
c.NotebookApp.tokento a non-empty string also solves the problem for me, and is safer. I don’t recommend enablingc.NotebookApp.disable_check_xsrfThis can be solved by changing
#c.NotebookApp.disable_check_xsrf = Falsetoc.NotebookApp.disable_check_xsrf = Truein jupyter_notebook_config.py.Hi, Even I faced the same issue. Solution: Try downloading your file (this will save the work), and you will be redirected to password page of jupyter notebook where the token is required to download the file which can be found on cmd localhost section. After this, you will be able to save the notebook again and your work will be downloaded.
I had this _xsrf issue probably because I put my computer on sleep and did not use it for a few days (Since I was unwell.) Refreshing the http://localhost:8888/tree/ tab in my browser fixed the issue.
Well, I’m guessing the _xsrf check is there for a reason?
Maybe because it’s the same solution as posted by @kylebarron last year and deemed as not optimal as it opens security vulnerabilities.
Yes, if you have neither xsrf tokens nor a form of authentication (e.g. tokens or passwords), it becomes very easy for malicious websites to secretly issue requests to your notebook server.
I think it’s unlikely that hydrogen will support XSRF functionality, because hydrogen isn’t a fully-featured web browser.
Fortunately Hydrogen’s authentication story has gotten much better lately, and I don’t think XSRF is required for authenticated requests. You can specify a fixed token in the gateway config, or leave out the “token” field from the config and enter one in manually each time you connect to the gateway. You can even copy an authentication cookie from your browser (useful if someone else is administering your notebook server and you can’t request a token from it).
I had the error after I accidentally deleted my browsers history after about 3 weeks since it was slowing the browser. It could be the same case
Changing < #c.NotebookApp.disable_check_xsrf = False > to < c.NotebookApp.disable_check_xsrf = True > in jupyter_notebook_config.py works! It’s maybe not an optimal solution but I have had enough with Jupyter Notebook oddities!
I used the safer alternative of duplicating the tab. It saved the file and seemed much less risks than reloading it.
simply
kernel->reconnectworks for me.