GitHub user dosubot[bot] added a comment to the discussion: Mixing Jmix Superset add-on embedded dashboards (guest token) with full Superset UI iframe (SSO) causes redirect to login
<!-- Answer --> There isn’t a built-in way in Superset or Flask to isolate session cookies by path or to support multiple parallel session cookies for different authentication flows under the same domain. Superset’s session cookie settings (like SESSION_COOKIE_SAMESITE, SESSION_COOKIE_SECURE) apply globally, and only one session context is enabled per domain. The guest token flow is stateless and doesn’t use browser session cookies, but switching between guest token embedding and SSO (Keycloak) in the same browser session can still cause session conflicts, as reported by multiple users. This is due to browser cookie policies and the way Flask handles sessions, not explicit logic in Superset itself ([source](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/config.py), [source](https://github.com/apache/superset/issues/33067)). Reverse proxy rules or path-based isolation (e.g., `/superset/embed/*` vs `/superset/ui/*`) won’t help, since Flask/Superset does not support setting different session cookies by path. True isolation would require running separate Superset instances or using different subdomains, which allows browsers to keep cookies separate ([source](https://github.com/apache/superset/issues/34773)). If you must keep everything under one domain, the only partial mitigations are: use incognito windows or separate browsers for each flow, or coordinate session state carefully (e.g., clear cookies between flows). For most setups, the recommended approach is to use guest tokens for embedding and SSO for the full UI, but not both in the same browser session ([source](https://github.com/apache/superset/issues/33067), [source](https://github.com/apache/superset/discussions/33654)). Let me know if you want more details on advanced workarounds or custom setups. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/c263eaa7-a529-4503-a9df-0aec155ff0ea?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/c263eaa7-a529-4503-a9df-0aec155ff0ea?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/c263eaa7-a529-4503-a9df-0aec155ff0ea?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/c263eaa7-a529-4503-a9df-0aec155ff0ea?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/c263eaa7-a529-4503-a9df-0aec155ff0ea?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/c263eaa7-a529-4503-a9df-0aec155ff0ea?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/c263eaa7-a529-4503-a9df-0aec155ff0ea?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github)& nbsp;[](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/35231) GitHub link: https://github.com/apache/superset/discussions/35231#discussioncomment-14477395 ---- This is an automatically sent email for notifications@superset.apache.org. To unsubscribe, please send an email to: notifications-unsubscr...@superset.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org For additional commands, e-mail: notifications-h...@superset.apache.org
