when set WTF_CSRF_ENABLED = False , login to Superset still failure, log show : flask_wtf.csrf.CSRFError: "The CSRF session token is missing "

[wangrenjun-vs]

A clear and concise description of what the bug is.

How to reproduce the bug

1. install superset 3.0 via pip3
2. init and start super
3. update superset_config.py WTF_CSRF_ENABLED = False
4. Open Brower and login
5. superset log show :"flask_wtf.csrf.CSRFError: 400 Bad Request: The CSRF session token is missing."

2023-10-10 08:08:37,440:INFO:flask_wtf.csrf:The CSRF session token is missing.
Refresh CSRF token error
Traceback (most recent call last):
  File "/home/ec2-user/superset-v3/venv/lib64/python3.9/site-packages/flask_wtf/csrf.py", line 261, in protect
    validate_csrf(self._get_csrf_token())
  File "/home/ec2-user/superset-v3/venv/lib64/python3.9/site-packages/flask_wtf/csrf.py", line 103, in validate_csrf
    raise ValidationError("The CSRF session token is missing.")
wtforms.validators.ValidationError: The CSRF session token is missing.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/ec2-user/superset-v3/venv/lib64/python3.9/site-packages/flask/app.py", line 1482, in full_dispatch_request
    rv = self.preprocess_request()
  File "/home/ec2-user/superset-v3/venv/lib64/python3.9/site-packages/flask/app.py", line 1974, in preprocess_request
    rv = self.ensure_sync(before_func)()
  File "/home/ec2-user/superset-v3/venv/lib64/python3.9/site-packages/flask_wtf/csrf.py", line 229, in csrf_protect
    self.protect()
  File "/home/ec2-user/superset-v3/venv/lib64/python3.9/site-packages/flask_wtf/csrf.py", line 264, in protect
    self._error_response(e.args[0])
  File "/home/ec2-user/superset-v3/venv/lib64/python3.9/site-packages/flask_wtf/csrf.py", line 307, in _error_response
    raise CSRFError(reason)
flask_wtf.csrf.CSRFError: 400 Bad Request: The CSRF session token is missing.
2023-10-10 08:08:37,440:WARNING:superset.views.base:Refresh CSRF token error
Traceback (most recent call last):
  File "/home/ec2-user/superset-v3/venv/lib64/python3.9/site-packages/flask_wtf/csrf.py", line 261, in protect
    validate_csrf(self._get_csrf_token())
  File "/home/ec2-user/superset-v3/venv/lib64/python3.9/site-packages/flask_wtf/csrf.py", line 103, in validate_csrf
    raise ValidationError("The CSRF session token is missing.")
wtforms.validators.ValidationError: The CSRF session token is missing.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/ec2-user/superset-v3/venv/lib64/python3.9/site-packages/flask/app.py", line 1482, in full_dispatch_request
    rv = self.preprocess_request()
  File "/home/ec2-user/superset-v3/venv/lib64/python3.9/site-packages/flask/app.py", line 1974, in preprocess_request
    rv = self.ensure_sync(before_func)()
  File "/home/ec2-user/superset-v3/venv/lib64/python3.9/site-packages/flask_wtf/csrf.py", line 229, in csrf_protect
    self.protect()
  File "/home/ec2-user/superset-v3/venv/lib64/python3.9/site-packages/flask_wtf/csrf.py", line 264, in protect
    self._error_response(e.args[0])
  File "/home/ec2-user/superset-v3/venv/lib64/python3.9/site-packages/flask_wtf/csrf.py", line 307, in _error_response
    raise CSRFError(reason)
flask_wtf.csrf.CSRFError: 400 Bad Request: The CSRF session token is missing.
2023-10-10 08:08:37,441:INFO:werkzeug:43.230.89.249 - - [10/Oct/2023 08:08:37] "POST /login/ HTTP/1.1" 302 -
2023-10-10 08:08:37,785:INFO:werkzeug:43.230.89.249 - - [10/Oct/2023 08:08:37] "GET /login/ HTTP/1.1" 200 -

Expected results

can login success

Actual results

login failure ,remain on login page

Screenshots

Environment

(please complete the following information):

• browser type and version:
• superset version: superset version
• python version: 3.9.16
• node.js version: no node.js install
• any feature flags active:

Checklist

Make sure to follow these steps before submitting your issue - thank you!

• [ x ] I have checked the superset logs for python stacktraces and included it here as text if there are any.
• [ x ] I have reproduced the issue with at least the latest released version of superset.
• [ x ] I have checked the issue tracker for the same issue and I haven't found one similar.

Additional context

[myaidev]

CSRF_ENABLED = False

WTF_CSRF_ENABLED = False

TALISMAN_ENABLED = False

Use the above combination in superset_config.py working for me for docker compose

[shaymongracia]

I'm in the same issue, any other advice rather than disable TALISMAN?

[myaidev]

@shaymongracia https with a domain will solve your problem, (nothing disabled as mentioned above), Its working at our end

[shaymongracia]

@hubaidev that is awesome! I just turned nginx to load certificates and solve the issue. Thanks for the support

[pv-brunoalves]

I had the same problem but the documentation tells what to do ENABLE_PROXY_FIX=true
If you are using LB type in AWS or something like that and just edit the .env variable file and upload the app I used docker compose and it worked in the superset documentation it is explained

https://apache.googlesource.com/superset/+/refs/tags/3.0.1/superset/config.py

[sfirke]

See #24579 for possibly related discussions. The best fix is to set up proper HTTPS, as people in this thread mention (thank you!). Otherwise you could try setting "session_cookie_secure": False in your TALISMAN_CONFIG, see if that helps?

[rusackas]

Sounds like there's nothing more to discuss here, so I'll close this one out. Thanks everyone!