Superset CSRF Token missing error

[RamiAli24]

I get an error when accessing dashboards and only dashboards and not chart like the image beneath,
after tracing error in the superset container i got that error .

I am running superset via k8s helm chart

Refresh CSRF token error │
│ Traceback (most recent call last): │
│ File "/usr/local/lib/python3.8/site-packages/flask_wtf/csrf.py", line 261, in protect │
│ validate_csrf(self._get_csrf_token()) │
│ File "/usr/local/lib/python3.8/site-packages/flask_wtf/csrf.py", line 100, in validate_csrf │
│ raise ValidationError("The CSRF token is missing.") │
│ wtforms.validators.ValidationError: The CSRF token is missing. │
│ │
│ During handling of the above exception, another exception occurred: │
│ │
│ Traceback (most recent call last): │
│ File "/usr/local/lib/python3.8/site-packages/flask/app.py", line 1515, in full_dispatch_request │
│ rv = self.preprocess_request() │
│ File "/usr/local/lib/python3.8/site-packages/flask/app.py", line 1857, in preprocess_request │
│ rv = self.ensure_sync(before_func)() │
│ File "/usr/local/lib/python3.8/site-packages/flask_wtf/csrf.py", line 229, in csrf_protect │
│ self.protect() │
│ File "/usr/local/lib/python3.8/site-packages/flask_wtf/csrf.py", line 264, in protect │
│ self._error_response(e.args[0]) │
│ File "/usr/local/lib/python3.8/site-packages/flask_wtf/csrf.py", line 307, in _error_response │
│ raise CSRFError(reason) │
│ flask_wtf.csrf.CSRFError: 400 Bad Request: The CSRF token is missing.

[ShaliniIruvuru]

Didn’t get any error while accessing dashboards.

Screenshots:-

[BoogalooLi]

While login with the newest version (Version: 0.0.0-dev), I come up with the same error. There is a useful help on stackoverflow(https://stackoverflow.com/questions/76537655/after-log-in-to-superset-redirect-fialed). But it doesn't work to me.
`123.1.253.113 - - [26/Jun/2023:07:35:03 +0000] "GET /login/?next=http://58.177.151.102:8088/superset/welcome/ HTTP/1.1" 200 51415 "http://58.177.151.102:8088/superset/welcome/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.58"
2023-06-26 07:35:22,166:INFO:flask_wtf.csrf:The CSRF session token is missing.
Refresh CSRF token error
Traceback (most recent call last):
File "/usr/local/lib/python3.9/site-packages/flask_wtf/csrf.py", line 261, in protect
validate_csrf(self._get_csrf_token())
File "/usr/local/lib/python3.9/site-packages/flask_wtf/csrf.py", line 103, in validate_csrf
raise ValidationError("The CSRF session token is missing.")
wtforms.validators.ValidationError: The CSRF session token is missing.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/local/lib/python3.9/site-packages/flask/app.py", line 1821, in full_dispatch_request
rv = self.preprocess_request()
File "/usr/local/lib/python3.9/site-packages/flask/app.py", line 2313, in preprocess_request
rv = self.ensure_sync(before_func)()
File "/usr/local/lib/python3.9/site-packages/flask_wtf/csrf.py", line 229, in csrf_protect
self.protect()
File "/usr/local/lib/python3.9/site-packages/flask_wtf/csrf.py", line 264, in protect
self._error_response(e.args[0])
File "/usr/local/lib/python3.9/site-packages/flask_wtf/csrf.py", line 307, in _error_response
raise CSRFError(reason)
flask_wtf.csrf.CSRFError: 400 Bad Request: The CSRF session token is missing.
2023-06-26 07:35:22,166:WARNING:superset.views.base:Refresh CSRF token error
Traceback (most recent call last):
File "/usr/local/lib/python3.9/site-packages/flask_wtf/csrf.py", line 261, in protect
validate_csrf(self._get_csrf_token())
File "/usr/local/lib/python3.9/site-packages/flask_wtf/csrf.py", line 103, in validate_csrf
raise ValidationError("The CSRF session token is missing.")
wtforms.validators.ValidationError: The CSRF session token is missing.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/local/lib/python3.9/site-packages/flask/app.py", line 1821, in full_dispatch_request
rv = self.preprocess_request()
File "/usr/local/lib/python3.9/site-packages/flask/app.py", line 2313, in preprocess_request
rv = self.ensure_sync(before_func)()
File "/usr/local/lib/python3.9/site-packages/flask_wtf/csrf.py", line 229, in csrf_protect
self.protect()
File "/usr/local/lib/python3.9/site-packages/flask_wtf/csrf.py", line 264, in protect
self._error_response(e.args[0])
File "/usr/local/lib/python3.9/site-packages/flask_wtf/csrf.py", line 307, in _error_response
raise CSRFError(reason)
flask_wtf.csrf.CSRFError: 400 Bad Request: The CSRF session token is missing.`

[Nikoslav]

Did you manage to solve this? I have the same issue on 3.0.

[janhavitripurwar]

Is this issue solved ? I am facing the same error while logging to Superset.
I am following this : https://superset.apache.org/docs/installation/installing-superset-from-scratch/

[Nikoslav]

In config set:
TALISMAN_ENABLED = utils.cast_to_boolean(os.environ.get("TALISMAN_ENABLED", False))
This helped me.

[dotmitsu]

Same error and login doesn't work. For helm chart adding TALISMAN_ENABLED: "False" to extraEnv In values.yaml fixed the problem.

extraEnv:
  TALISMAN_ENABLED: "False"

[amirhosseinkabiri]

AFTER 3 HOUR!!!! Just this Russian site helped me!
you should do to superset/config.py and search for TALISMAN_ENABLED and set it to false

TALISMAN_ENABLED = False
(my full address of superset/config.py is like so:
/root/venv/lib/python3.10/site-packages/superset/config.py

if you cant find it run this command:
find . -name config.py
)

[avitaltwingo]

AFTER 3 HOUR!!!! Just this Russian site helped me! you should do to superset/config.py and search for TALISMAN_ENABLED and set it to false

TALISMAN_ENABLED = False (my full address of superset/config.py is like so: /root/venv/lib/python3.10/site-packages/superset/config.py

if you cant find it run this command: find . -name config.py )

Thank you!! Saved me precious time.

[Davidkramer1999]

I'm expeircing quite simmilar issue so getting "400 Bad Request: The CSRF token is missing." When trying to import Dasboard trought API so /api/v1/dashboard/import. I have disabled TALISMAN_ENABLED = False. Intristing part is that troguht UI everything wokrs as it should...

[rusackas]

@Davidkramer1999 what you're looking at is the API docs, not the Superset UI. Are you accessing this via the documentation website, or via your own Superset instance, e.g. http://localhost:8088/swagger/v1? The latter works for me on current master. That seems like a separate issue from what was originally filed, though.

For the original request, you're right that you can turn off Talisman to get around this. Just note that you lose a whole slew of other security safeguards when you do that. It's better to just... provide the token as expected.

Closing, as neither of these seem to be a bug (although one of the two is probably a config error), the thread is a bit mixed up now, and both have gone fairly stale. Happy to reopen or tackle in newer, more focused reports with reproducible steps.

[darrylhebbes]

This helped me in superset-config.py WTF_CSRF_ENABLED = False, but made my Security Admin guy have a sleepless night.