Overview: Apache Superset uses Flask's default stateless session handling. This approach is common, efficient, and well-suited for many environments, including development and testing. When a user logs in, a session cookie is created in their browser. When they log out, the browser is instructed to clear this cookie.
With stateless sessions, the server does not maintain a central list of active sessions. If a session cookie is leaked or copied before logout, its validity is limited only by its own expiration timer. In a production environment, this could allow an attacker that gained access to that cookie to maintain access even after the legitimate user has logged out. Additionally, these session cookies could be reused on different Superset instances if the SUPERSET_SECRET_KEY is weak, reused, or otherwise exposed, provided the username is the same. Applicable To: All versions of Apache Superset using the default stateless session configuration. This advisory concerns security best practices for all deployments rather than a specific code-level vulnerability. Recommendations: This report has highlighted the critical importance of administrators properly securing their production environments. The following configuration practices are recommended: * Configure Session Timeouts: For production environments using the default stateless session handling, administrators must configure reasonably short session expiration periods. This is the primary and perfectly acceptable mitigation for this risk. This is the recommended approach for most production instances. * Consider Server-Side Sessions (Optional): The default stateless session model is robust and efficient. However, production environments that require immediate, server-side invalidation of sessions have the possibility of using an optional server-side session backend. This is an alternative approach for specific, stricter security postures. * Secure the Secret Key: The SUPERSET_SECRET_KEY is essential to session security. It must be a cryptographically strong and unique value. Reusing keys across instances or using weak keys makes attacks computationally feasible. This report led to the creation of a consolidated documentation section dedicated to these best practices: https://superset.apache.org/docs/security/securing_superset More details on user session configuration can also be found at: https://superset.apache.org/docs/security/#user-sessions Acknowledgments: We would like to thank Ícaro Torres for the detailed report and research that helped us improve our security documentation for all users. Best Regards, Pedro Sousa / Apache Superset Security
