From 9619019c9b303862f654ed2266f9bc9cf8ac9796 Mon Sep 17 00:00:00 2001
From: Min RK <benjaminrk@gmail.com>
Date: Thu, 18 Nov 2021 09:50:08 +0100
Subject: [PATCH] set xsrf cookie on base url

avoids collisions across a given host
---
 jupyter_server/serverapp.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/jupyter_server/serverapp.py b/jupyter_server/serverapp.py
index 1dd6f9ba0a..ff193dba7e 100644
--- a/jupyter_server/serverapp.py
+++ b/jupyter_server/serverapp.py
@@ -356,6 +356,10 @@ def init_settings(
 
         # allow custom overrides for the tornado web app.
         settings.update(settings_overrides)
+
+        if base_url and "xsrf_cookie_kwargs" not in settings:
+            # default: set xsrf cookie on base_url
+            settings["xsrf_cookie_kwargs"] = {"path": base_url}
         return settings
 
     def init_handlers(self, default_services, settings):