Bug description

I was using my backend to give the guest token to the frontend, but I was getting "error": "{\"errors\": [{\"message\": \"400 Bad Request: The CSRF session token is missing.\", \"error_type\": \"GENERIC_BACKEND_ERROR\", \"level\": \"error\", \"extra\": {\"issue_codes\": [{\"code\": 1011, \"message\": \"Issue 1011 - Superset encountered an unexpected error.\"}]}}]}"

Then I had used CookieSession to maintain a session, But after enabling this I am not able to logout from my superset. I have implement OAUTH using azure

Screenshots/recordings

No response

Superset version

master / latest-dev

Python version

3.9

Node version

16

Browser

Chrome

Additional context

No response

Checklist

  • [x] I have searched Superset docs and Slack and didn't find a solution to my problem.
  • [x] I have searched the GitHub issue tracker and didn't find a similar bug report.
  • [x] I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.

Comment From: dosubot[bot]

I found some similar threads that might be helpful:

  1. 400 Bad Request: The CSRF session token is missing. - This discussion is open and might provide insights into handling CSRF token issues.

  2. Superset redirecting to login page very Frequently - This is another open discussion that could be relevant if you're experiencing frequent redirects.

  3. [QA][superset & keycloak] flask_wtf.csrf.CSRFError: 400 Bad Request: The CSRF token is missing. - This open discussion also deals with CSRF token issues.

To resolve the issue of not being able to logout after implementing OAUTH with Azure and using CookieSession, ensure that the CSRF token is properly fetched and included in the headers for requests that require it. Here are some steps you can follow:

  1. Ensure that the getCSRFToken() method is called before the logout request to fetch and set the CSRF token in the headers.

  2. Verify that the CSRF token is included in the headers of the logout request. The headers should include 'X-CSRFToken': this.csrfToken.

  3. Check if the session is properly maintained and that the CSRF token is not being cleared or invalidated prematurely [1].

To continue talking to Dosu, mention @dosu.

Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Bug Report | Other

Comment From: rusackas

Is this effectively a duplicate of your CSRF issue from just yesterday?

Comment From: rusackas

Closing as duplicate of #33035