Bug description

After installing Superset in Docker v4.1.2 I'm facing login issues - I've created admin user and one more. After entering credentials page just reloads with empty login and password fields. I've checked - there is normal connection with DB, users created, all pods are running and in healthy status As I understand it from logs - issue with CSRF "The CSRF session token is missing" even if I write in configuration WTF_CSRF_ENABLED = False So there is some issue with the application itself can't manage its own token correctly when proxied. Python version 3.12.3

Screenshots/recordings

Page just reloads

Image

Superset version

4.1.2

Python version

Not applicable

Node version

Not applicable

Browser

Chrome

Additional context

No response

Checklist

  • [x] I have searched Superset docs and Slack and didn't find a solution to my problem.
  • [x] I have searched the GitHub issue tracker and didn't find a similar bug report.
  • [x] I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.

Comment From: dosubot[bot]

Hi @oleksii-revutskyi! I'm Dosu and I’m helping the superset team.

This issue is often caused by proxy or cookie misconfiguration when running Superset behind a proxy or in Docker. Here are the most relevant things to check:

  • Make sure you have ENABLE_PROXY_FIX = True in your Superset config. This is crucial for correct CSRF and session handling behind a proxy or load balancer, as it ensures Superset interprets X-Forwarded headers properly (source).
  • Set SESSION_COOKIE_SECURE = True if you are using HTTPS everywhere, or False if you are only using HTTP internally. If this is set incorrectly, cookies (including CSRF tokens) may not be sent or accepted by the browser (source).
  • Double-check your browser and proxy settings for cookie handling, especially SameSite and Secure flags. If your proxy terminates SSL, make sure it forwards the correct headers and doesn't strip cookies.
  • If you want to disable CSRF for testing, ensure WTF_CSRF_ENABLED = False is set in the correct config file and is actually being picked up by the running container. Sometimes config changes are not picked up due to Docker caching or mounting issues (source).
  • If you want to troubleshoot further, you can obtain the CSRF token programmatically using Superset’s API endpoint (search for "csrf" in the API docs) to see if the token is being generated and sent correctly (source).

If you’re still seeing the issue after these checks, please share your Superset config (with secrets redacted) and details about your proxy setup.

To reply, just mention @dosu.

How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other  Join Discord Share on X