From 93d25eea0b069a120a7a32105b25a16bb17a3eb9 Mon Sep 17 00:00:00 2001 From: Aditya Toshniwal Date: Mon, 22 Jan 2024 12:25:20 +0530 Subject: [PATCH] Use COOKIE_DEFAULT_PATH or SCRIPT_NAME in session cookie path. #6557 --- web/pgadmin/__init__.py | 7 +------ web/pgadmin/browser/__init__.py | 2 +- web/pgadmin/evaluate_config.py | 9 +++++++++ web/pgadmin/preferences/__init__.py | 2 +- web/pgadmin/utils/session.py | 1 + 5 files changed, 13 insertions(+), 8 deletions(-) diff --git a/web/pgadmin/__init__.py b/web/pgadmin/__init__.py index b91bec107..001c79a19 100644 --- a/web/pgadmin/__init__.py +++ b/web/pgadmin/__init__.py @@ -496,11 +496,6 @@ def create_app(app_name=None): 'SECURITY_EMAIL_VALIDATOR_ARGS': config.SECURITY_EMAIL_VALIDATOR_ARGS })) - if 'SCRIPT_NAME' in os.environ and os.environ["SCRIPT_NAME"]: - app.config.update(dict({ - 'APPLICATION_ROOT': os.environ["SCRIPT_NAME"] - })) - app.config.update(dict({ 'INTERNAL': INTERNAL, 'LDAP': LDAP, @@ -833,7 +828,7 @@ def create_app(app_name=None): config.COOKIE_DEFAULT_DOMAIN != 'localhost': domain['domain'] = config.COOKIE_DEFAULT_DOMAIN response.set_cookie('PGADMIN_INT_KEY', value=request.args['key'], - path=config.COOKIE_DEFAULT_PATH, + path=config.SESSION_COOKIE_PATH, secure=config.SESSION_COOKIE_SECURE, httponly=config.SESSION_COOKIE_HTTPONLY, samesite=config.SESSION_COOKIE_SAMESITE, diff --git a/web/pgadmin/browser/__init__.py b/web/pgadmin/browser/__init__.py index 90c42b935..76819e04b 100644 --- a/web/pgadmin/browser/__init__.py +++ b/web/pgadmin/browser/__init__.py @@ -422,7 +422,7 @@ def index(): domain['domain'] = config.COOKIE_DEFAULT_DOMAIN response.set_cookie("PGADMIN_LANGUAGE", value=language, - path=config.COOKIE_DEFAULT_PATH, + path=config.SESSION_COOKIE_PATH, secure=config.SESSION_COOKIE_SECURE, httponly=config.SESSION_COOKIE_HTTPONLY, samesite=config.SESSION_COOKIE_SAMESITE, diff --git a/web/pgadmin/evaluate_config.py b/web/pgadmin/evaluate_config.py index f3d31037e..e035a899a 100644 --- a/web/pgadmin/evaluate_config.py +++ b/web/pgadmin/evaluate_config.py @@ -127,4 +127,13 @@ def evaluate_and_patch_config(config: dict) -> dict: config.setdefault('DISABLED_LOCAL_PASSWORD_STORAGE', False) config.setdefault('KEYRING_NAME', k_name) + config.setdefault('SESSION_COOKIE_PATH', config.get('COOKIE_DEFAULT_PATH')) + + # if a script name is preset, session cookies should go to sub path + if 'SCRIPT_NAME' in os.environ and os.environ["SCRIPT_NAME"]: + config.update(dict({ + 'APPLICATION_ROOT': os.environ["SCRIPT_NAME"], + 'SESSION_COOKIE_PATH': os.environ["SCRIPT_NAME"], + })) + return config diff --git a/web/pgadmin/preferences/__init__.py b/web/pgadmin/preferences/__init__.py index a49509738..621567b1f 100644 --- a/web/pgadmin/preferences/__init__.py +++ b/web/pgadmin/preferences/__init__.py @@ -262,7 +262,7 @@ def save(): setattr(session, 'PGADMIN_LANGUAGE', language) response.set_cookie("PGADMIN_LANGUAGE", value=language, - path=config.COOKIE_DEFAULT_PATH, + path=config.SESSION_COOKIE_PATH, secure=config.SESSION_COOKIE_SECURE, httponly=config.SESSION_COOKIE_HTTPONLY, samesite=config.SESSION_COOKIE_SAMESITE, diff --git a/web/pgadmin/utils/session.py b/web/pgadmin/utils/session.py index 78c1c2628..090c9e062 100644 --- a/web/pgadmin/utils/session.py +++ b/web/pgadmin/utils/session.py @@ -314,6 +314,7 @@ class ManagedSessionInterface(SessionInterface): app.config['SESSION_COOKIE_NAME'], '%s!%s' % (session.sid, session.hmac_digest), expires=cookie_exp, + path=config.SESSION_COOKIE_PATH, secure=config.SESSION_COOKIE_SECURE, httponly=config.SESSION_COOKIE_HTTPONLY, samesite=config.SESSION_COOKIE_SAMESITE,