sfirke opened a new pull request, #26005: URL: https://github.com/apache/superset/pull/26005
### SUMMARY The default value of SESSION_COOKIE_SECURE was historically False. This was changed unintentionally when we enabled TALISMAN_CONFIG by default. That comes with unstated, implicit settings including making SESSION_COOKIE_SECURE = True. This contradicts our documentation (issue #25854). More importantly, it contributed to a critical problem where new users who have not enabled HTTPS yet as part of their setup encounter a login loop and are unable to use Superset. The canonical issue here is https://github.com/apache/superset/issues/24579#issuecomment-1814715020, please review that thread ending with the comment I linked. I'm not an expert in this area and there might be more we need to to do to get a combination of security values that works for out-of-the-box setups. But this PR seemed like a good simple start in that it's reverting an unintended change that came when we implemented Talisman CSP. ### TESTING INSTRUCTIONS Install a new instance of Superset with this config value in Talisman? Two users in that thread report that this config change enabled them to install and use Superset. ### ADDITIONAL INFORMATION - [x] Has associated issue: - Fixes #25854, fixes #24579 at least enough that it can be closed and, if a problem persists, a new issue created - [ ] Required feature flags: - [ ] Changes UI - [ ] Includes DB Migration (follow approval process in [SIP-59](https://github.com/apache/superset/issues/13351)) - [ ] Migration is atomic, supports rollback & is backwards-compatible - [ ] Confirm DB migration upgrade and downgrade tested - [ ] Runtime estimates and downtime expectations provided - [ ] Introduces new feature or API - [ ] Removes existing feature or API -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
