Hello. We developed a Streamlit app that we put behind SSO inside our organization. It is on an EC2 instance and we use a FastAPI front end for SSO, which sets some cookies in the browser and then the streamlit backend reads these cookies when SSO succeeds. We use nginx as a reverse proxy.
Everything works if you access the URL directly.
However, if the website is accessed by a referred link, the cookies are not set on the first visit to the site. In order to make things work, we have had to turn off xsrf and CORS protections, which makes me nervous.
Does anyone have any insight into these scenarios? I found a bug report that is now two years old and has been recently revived about improper xsrf cookie setting (Misconfigured _xsrf cookies · Issue #5793 · streamlit/streamlit · GitHub) by streamlit but other than that - nothing else.
Thanks!