Re: [D] CSRF Session token is missing [superset]

[via GitHub]

GitHub user dosubot[bot] added a comment to the discussion: CSRF Session token 
is missing

<!-- Answer -->
The issue is with how you're passing cookies to the Cookie header. Superset 
expects the Cookie header to be a single string of key=value pairs, not an 
array or the full set-cookie strings. You need to extract just the session 
cookie value and format it like this:

```js
// Example: extract the session cookie from set-cookie array
const sessionCookie = cookies
  .map(c => c.split(';')[0])
  .find(c => c.startsWith('session='));

// Then use:
headers: {
  Cookie: sessionCookie, // e.g. 'session=.e,......'
  'X-CSRFToken': csrfToken,
  Authorization: `Bearer ${accessToken}`,
  'Content-Type': 'application/json',
}
```

If you need to send multiple cookies, join them with `; ` (semicolon and 
space), like `'session=...; async-token=...'`. But for CSRF/session validation, 
the session cookie is required and must match the CSRF token you received. 
Passing the whole array or the full set-cookie strings will cause validation to 
fail [see code 
reference](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/security/api.py).

Let me know if you're running this in a browser or Node.js—handling HttpOnly 
cookies is different in each environment.


<!-- Dosu Comment Footer -->
*To reply, just mention [@dosu](https://go.dosu.dev/dosubot).*

---
<sup>How did I do? 
[Good](https://app.dosu.dev/response-feedback/ba788581-fb39-4a0c-a3fe-7a7f165a91bd?feedback_type=great_response)
 | 
[Irrelevant](https://app.dosu.dev/response-feedback/ba788581-fb39-4a0c-a3fe-7a7f165a91bd?feedback_type=irrelevant_answer)
 | 
[Incorrect](https://app.dosu.dev/response-feedback/ba788581-fb39-4a0c-a3fe-7a7f165a91bd?feedback_type=incorrect_sources)
 | 
[Verbose](https://app.dosu.dev/response-feedback/ba788581-fb39-4a0c-a3fe-7a7f165a91bd?feedback_type=too_verbose)
 | 
[Hallucination](https://app.dosu.dev/response-feedback/ba788581-fb39-4a0c-a3fe-7a7f165a91bd?feedback_type=hallucination)
 | [Report 
🐛](https://app.dosu.dev/response-feedback/ba788581-fb39-4a0c-a3fe-7a7f165a91bd?feedback_type=bug_report)
 | 
[Other](https://app.dosu.dev/response-feedback/ba788581-fb39-4a0c-a3fe-7a7f165a91bd?feedback_type=other)</sup>&nbsp;&nbsp;[![Chat
 with 
Dosu](https://dosu.dev/dosu-chat-badge.svg)](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github)&
 nbsp;[![Join 
Discord](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.dev/discord-bot)&nbsp;[![Share
 on 
X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/34738)

GitHub link: 
https://github.com/apache/superset/discussions/34738#discussioncomment-14144017

----
This is an automatically sent email for notifications@superset.apache.org.
To unsubscribe, please send an email to: 
notifications-unsubscr...@superset.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org
For additional commands, e-mail: notifications-h...@superset.apache.org