GitHub user dosubot[bot] added a comment to the discussion: CSRF Session token
is missing
<!-- Answer -->
The issue is with how you're passing cookies to the Cookie header. Superset
expects the Cookie header to be a single string of key=value pairs, not an
array or the full set-cookie strings. You need to extract just the session
cookie value and format it like this:
```js
// Example: extract the session cookie from set-cookie array
const sessionCookie = cookies
.map(c => c.split(';')[0])
.find(c => c.startsWith('session='));
// Then use:
headers: {
Cookie: sessionCookie, // e.g. 'session=.e,......'
'X-CSRFToken': csrfToken,
Authorization: `Bearer ${accessToken}`,
'Content-Type': 'application/json',
}
```
If you need to send multiple cookies, join them with `; ` (semicolon and
space), like `'session=...; async-token=...'`. But for CSRF/session validation,
the session cookie is required and must match the CSRF token you received.
Passing the whole array or the full set-cookie strings will cause validation to
fail [see code
reference](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/security/api.py).
Let me know if you're running this in a browser or Node.js—handling HttpOnly
cookies is different in each environment.
<!-- Dosu Comment Footer -->
*To reply, just mention [@dosu](https://go.dosu.dev/dosubot).*
---
<sup>How did I do?
[Good](https://app.dosu.dev/response-feedback/ba788581-fb39-4a0c-a3fe-7a7f165a91bd?feedback_type=great_response)
|
[Irrelevant](https://app.dosu.dev/response-feedback/ba788581-fb39-4a0c-a3fe-7a7f165a91bd?feedback_type=irrelevant_answer)
|
[Incorrect](https://app.dosu.dev/response-feedback/ba788581-fb39-4a0c-a3fe-7a7f165a91bd?feedback_type=incorrect_sources)
|
[Verbose](https://app.dosu.dev/response-feedback/ba788581-fb39-4a0c-a3fe-7a7f165a91bd?feedback_type=too_verbose)
|
[Hallucination](https://app.dosu.dev/response-feedback/ba788581-fb39-4a0c-a3fe-7a7f165a91bd?feedback_type=hallucination)
| [Report
🐛](https://app.dosu.dev/response-feedback/ba788581-fb39-4a0c-a3fe-7a7f165a91bd?feedback_type=bug_report)
|
[Other](https://app.dosu.dev/response-feedback/ba788581-fb39-4a0c-a3fe-7a7f165a91bd?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github)&
nbsp;[](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/34738)
GitHub link:
https://github.com/apache/superset/discussions/34738#discussioncomment-14144017
----
This is an automatically sent email for notifications@superset.apache.org.
To unsubscribe, please send an email to:
notifications-unsubscr...@superset.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org
For additional commands, e-mail: notifications-h...@superset.apache.org
