GitHub user dosubot[bot] added a comment to the discussion: CSRF Session token is missing
<!-- Answer --> Superset 5.0.0 enforces CSRF protection on the /api/v1/security/guest_token endpoint, so both a valid CSRF token and the session cookie must be included in your POST request. The CSRF token you get from /api/v1/security/csrf_token/ is tied to the session cookie set in the response. When making the POST to /guest_token, you need to send both the X-CSRFToken header and the session cookie together—if either is missing or mismatched, you'll get the "CSRF session token is missing" error. This is stricter than some previous versions, where session handling might have been more lenient. Make sure your flow is: fetch the CSRF token, extract the session cookie from the Set-Cookie header, and then include both in your POST request to /guest_token (withCredentials: true, X-CSRFToken header, and the session cookie in the Cookie header). If you want to disable CSRF for testing, you can set WTF_CSRF_ENABLED = False in your config, but this is not recommended for production. For more details, see the relevant code and config references [here](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/security/api.py) and [here](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/config.py). <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/5ceb1690-cb04-4395-8b14-5f837fb7ce95?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/5ceb1690-cb04-4395-8b14-5f837fb7ce95?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/5ceb1690-cb04-4395-8b14-5f837fb7ce95?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/5ceb1690-cb04-4395-8b14-5f837fb7ce95?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/5ceb1690-cb04-4395-8b14-5f837fb7ce95?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/5ceb1690-cb04-4395-8b14-5f837fb7ce95?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/5ceb1690-cb04-4395-8b14-5f837fb7ce95?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github)& nbsp;[](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/34738) GitHub link: https://github.com/apache/superset/discussions/34738#discussioncomment-14143875 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
