Hash cookie secret with user hashed password.

[Carreau]

Currently changing the password does not revoke current session:

• jupyter notebook password
• jupyter notebook
• Logging in
• Kill server
• jupyter notebook password
• jupyter notebook
• Oh ! I'm still logged in.

With this, as the "effective" secret depends on the (hashed) password,
changing it void any existing session (which I believe is the goal of
most password change)

cc @minrk, @rgbkrk, and @yuvipanda for review.

[rgbkrk]

I was going to make a comment here about what happens if the cookie file happened to be empty (leading to a 0 length), then I noticed that at least on my systems I can't set this keyword argument:

In [1]: from hashlib import sha256

In [2]: sha256(digest_size=0)
---------------------------------------------------------------------------
TypeError                                 Traceback (most recent call last)
<ipython-input-2-94e5dda9a83d> in <module>()
----> 1 sha256(digest_size=0)

TypeError: openssl_sha256() takes no keyword arguments

[Carreau]

hum, weird.

[yuvipanda]

IMO this should be a HMAC, with the secret key as the HMAC key & the password as the message. HMACs are built for this exact specific use case, and supported in the stdlib.

[Carreau]

I disagree that HMAC are built for that (no code is going to check hmac(key, pw) equal the value here). The result of this function will be used by HMAC as the key later on (in tornado), so we're basically doing HMAC(HMAC(key, pwd_sha), cookie_value); Though I agree that the returned value with HMAC will still be (pseudo-)random enough.

[Carreau]

Should we also (or as an alternative) have the the jupyter notebook password command to regenerate the cookie secret ? Because If I change my password to an old one, then the previous sessions will become valid again. Or is this a "feature" ?