aklein-1s commented on issue #37753: URL: https://github.com/apache/superset/issues/37753#issuecomment-3861271254
> Check if the async-token cookie is set in your browser: In the browser dev tools (Application/Storage tab), look for a cookie named async-token for your Superset domain after logging in. If it's missing, Superset isn't setting it, likely due to cookie attribute issues. Check : I still don't have the cookie. > Cookie attributes can prevent the cookie from being set or sent: The async-token cookie is set by Superset with attributes like httponly=True, secure (from GLOBAL_ASYNC_QUERIES_JWT_COOKIE_SECURE), domain (from GLOBAL_ASYNC_QUERIES_JWT_COOKIE_DOMAIN), and samesite (from GLOBAL_ASYNC_QUERIES_JWT_COOKIE_SAMESITE). If, for example, secure=True but you're accessing over HTTP, or the domain is set incorrectly, the browser will silently drop the cookie and it won't be sent to the websocket server. SameSite restrictions can also block the cookie in cross-origin scenarios. See the relevant code and config options [here](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/async_events/async_query_manager.py#L134-L195). Try explicitly setting these in your superset_config_docker.py: GLOBAL_ASYNC_QUERIES_JWT_COOKIE_SECURE = True # if using HTTPS GLOBAL_ASYNC_QUERIES_JWT_COOKIE_DOMAIN = "subdomain.domain.com" # match your domain GLOBAL_ASYNC_QUERIES_JWT_COOKIE_SAMESITE = "None" # for cross-origin websocket I add these lines but same problem. > WebSocket URL and hostname must match: The websocket server and the main Superset app must run on the same hostname (even if on different ports) for cookies to be sent during the handshake. If you use HTTPS, the websocket URL must be wss:// and the domain must match exactly (no mixing localhost/127.0.0.1/custom domains) https://github.com/apache/superset/discussions/33583. Check url matches. > Check the WebSocket handshake in the browser: In the Network tab, filter by "WS", click the failed websocket request, and check the "Request Headers" for a Cookie header containing async-token. If it's missing, the browser isn't sending it—likely due to the issues above. <img width="544" height="675" alt="Image" src="https://github.com/user-attachments/assets/bd079fc8-bbb0-46f6-8f0b-aed6c1f96a91"; /> The corresponding error in nginx log ``` 2025/09/26 15:47:07 [error] 8818#8818: *502 upstream prematurely closed connection while reading response header from upstream, client: 172.16.20.2, server: subdomain.domain.com, request: "GET /ws HTTP/1.1", upstream: "http://127.0.0.1:8080/ws";, host: "subdomain.domain.com" 2025/09/29 14:04:15 [error] 807#807: *93 connect() failed (111: Connection refused) while connecting to upstream, client: 172.16.20.5, server: subdomain.domain.com, request: "GET /ws HTTP/1.1", upstream: "http://127.0.0.1:8080/ws";, host: "subdomain.domain.com" ``` > Content Security Policy (CSP) can block the connection: If you have a CSP, ensure your websocket URL is included in the connect-src directive in TALISMAN_CONFIG in your Superset config https://github.com/apache/superset/issues/35340. I didn't specify it but I already added this to my superset_config_docker.py : ``` TALISMAN_ENABLED = True TALISMAN_CONFIG = { "content_security_policy": { "default-src": ["'self'"], "script-src": ["'self'", "https://trusted-scripts.com";], "img-src": ["'self'", "data:"], "connect-src": [ "'self'", "wss://subdomain.domain.com/ws", # Add your websocket endpoint here, use wss protocol (wss:) for SSL connection "https://api.mapbox.com"; ], }, } ``` > Nginx must forward cookies and upgrade headers: Your nginx config looks correct, but double-check that /ws is being proxied to the websocket backend and that no subpath or prefix is being added or stripped incorrectly https://github.com/apache/superset/issues/34773. How can I check that ? So my superset works with root path actually as my nginx config shows it. So I access the app with - https://subdomain.domain.com/ and it works but the url was changed by : - https://subdomain.domain.com/superset/welcome/ And I don't have root path configuration with current version. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
