diff --git a/web/app/components/app/app-publisher/index.tsx b/web/app/components/app/app-publisher/index.tsx
index 7f1dcdf6f8..d6e316f0d3 100644
--- a/web/app/components/app/app-publisher/index.tsx
+++ b/web/app/components/app/app-publisher/index.tsx
@@ -289,10 +289,10 @@ const AppPublisher = ({
                 {!isAppAccessSet && <p className='system-xs-regular mt-1 text-text-warning'>{t('app.publishApp.notSetDesc')}</p>}
               </div>
               <div className='flex flex-col gap-y-1 border-t-[0.5px] border-t-divider-regular p-4 pt-3'>
-                <Tooltip triggerClassName='flex' disabled={!systemFeatures.webapp_auth.enabled || userCanAccessApp?.result} popupContent={t('app.noAccessPermission')} asChild={false}>
+                <Tooltip triggerClassName='flex' disabled={!systemFeatures.webapp_auth.enabled || appDetail?.access_mode === AccessMode.EXTERNAL_MEMBERS || userCanAccessApp?.result} popupContent={t('app.noAccessPermission')} asChild={false}>
                   <SuggestedAction
                     className='flex-1'
-                    disabled={!publishedAt || (systemFeatures.webapp_auth.enabled && !userCanAccessApp?.result)}
+                    disabled={!publishedAt || (systemFeatures.webapp_auth.enabled && appDetail?.access_mode !== AccessMode.EXTERNAL_MEMBERS && !userCanAccessApp?.result)}
                     link={appURL}
                     icon={<RiPlayCircleLine className='h-4 w-4' />}
                   >
@@ -301,10 +301,10 @@ const AppPublisher = ({
                 </Tooltip>
                 {(appDetail?.mode === 'workflow' || appDetail?.mode === 'completion')
                   ? (
-                    <Tooltip triggerClassName='flex' disabled={!systemFeatures.webapp_auth.enabled || userCanAccessApp?.result} popupContent={t('app.noAccessPermission')} asChild={false}>
+                    <Tooltip triggerClassName='flex' disabled={!systemFeatures.webapp_auth.enabled || appDetail?.access_mode === AccessMode.EXTERNAL_MEMBERS || userCanAccessApp?.result} popupContent={t('app.noAccessPermission')} asChild={false}>
                       <SuggestedAction
                         className='flex-1'
-                        disabled={!publishedAt || (systemFeatures.webapp_auth.enabled && !userCanAccessApp?.result)}
+                        disabled={!publishedAt || (systemFeatures.webapp_auth.enabled && appDetail?.access_mode !== AccessMode.EXTERNAL_MEMBERS && !userCanAccessApp?.result)}
                         link={`${appURL}${appURL.includes('?') ? '&' : '?'}mode=batch`}
                         icon={<RiPlayList2Line className='h-4 w-4' />}
                       >
diff --git a/web/app/signin/components/sso-auth.tsx b/web/app/signin/components/sso-auth.tsx
index fb303b93e2..6a248fc2d2 100644
--- a/web/app/signin/components/sso-auth.tsx
+++ b/web/app/signin/components/sso-auth.tsx
@@ -34,7 +34,7 @@ const SSOAuth: FC<SSOAuthProps> = ({
     }
     else if (protocol === SSOProtocol.OIDC) {
       getUserOIDCSSOUrl(invite_token).then((res) => {
-        document.cookie = `user-oidc-state=${res.state}`
+        document.cookie = `user-oidc-state=${res.state};Path=/`
         router.push(res.url)
       }).finally(() => {
         setIsLoading(false)
@@ -42,7 +42,7 @@ const SSOAuth: FC<SSOAuthProps> = ({
     }
     else if (protocol === SSOProtocol.OAuth2) {
       getUserOAuth2SSOUrl(invite_token).then((res) => {
-        document.cookie = `user-oauth2-state=${res.state}`
+        document.cookie = `user-oauth2-state=${res.state};Path=/`
         router.push(res.url)
       }).finally(() => {
         setIsLoading(false)