Draft: Set XSRF cookie on API request

jupyter_server/auth/login.py

@@ -106,6 +106,9 @@ def set_login_cookie(cls, handler, user_id=None):
             cookie_options.setdefault("secure", True)
         cookie_options.setdefault("path", handler.base_url)
         handler.set_secure_cookie(handler.cookie_name, user_id, **cookie_options)
+        # To set _xsrf cookie at login
+        handler.current_user = handler._jupyter_current_user = user_id
+        handler.xsrf_token
         return user_id
 
     auth_header_pat = re.compile(r"token\s+(.+)", re.IGNORECASE)

jupyter_server/base/handlers.py

@@ -133,6 +133,7 @@ def clear_login_cookie(self):
             # N.B. This bypasses the normal cookie handling, which can't update
             # two cookies with the same name. See the method above.
             self.force_clear_cookie(self.cookie_name)
+        self.clear_cookie("_xsrf")
 
     def get_current_user(self):
         clsname = self.__class__.__name__