Use COOKIE_DEFAULT_PATH or SCRIPT_NAME in session cookie path. #6557

2024-01-22 12:25:20 +05:30 · 2024-01-22 12:25:20 +05:30 · 93d25eea0b
parent a166f8dc89
commit 93d25eea0b
5 changed files with 13 additions and 8 deletions
--- a/web/pgadmin/init.py
+++ b/web/pgadmin/init.py
@ -496,11 +496,6 @@ def create_app(app_name=None):
        'SECURITY_EMAIL_VALIDATOR_ARGS': config.SECURITY_EMAIL_VALIDATOR_ARGS
    }))

-    if 'SCRIPT_NAME' in os.environ and os.environ["SCRIPT_NAME"]:
-        app.config.update(dict({
-            'APPLICATION_ROOT': os.environ["SCRIPT_NAME"]
-        }))
-
    app.config.update(dict({
        'INTERNAL': INTERNAL,
        'LDAP': LDAP,
@ -833,7 +828,7 @@ def create_app(app_name=None):
                    config.COOKIE_DEFAULT_DOMAIN != 'localhost':
                domain['domain'] = config.COOKIE_DEFAULT_DOMAIN
            response.set_cookie('PGADMIN_INT_KEY', value=request.args['key'],
-                                path=config.COOKIE_DEFAULT_PATH,
+                                path=config.SESSION_COOKIE_PATH,
                                secure=config.SESSION_COOKIE_SECURE,
                                httponly=config.SESSION_COOKIE_HTTPONLY,
                                samesite=config.SESSION_COOKIE_SAMESITE,
--- a/web/pgadmin/browser/init.py
+++ b/web/pgadmin/browser/init.py
@ -422,7 +422,7 @@ def index():
        domain['domain'] = config.COOKIE_DEFAULT_DOMAIN

    response.set_cookie("PGADMIN_LANGUAGE", value=language,
-                        path=config.COOKIE_DEFAULT_PATH,
+                        path=config.SESSION_COOKIE_PATH,
                        secure=config.SESSION_COOKIE_SECURE,
                        httponly=config.SESSION_COOKIE_HTTPONLY,
                        samesite=config.SESSION_COOKIE_SAMESITE,
--- a/web/pgadmin/evaluate_config.py
+++ b/web/pgadmin/evaluate_config.py
@ -127,4 +127,13 @@ def evaluate_and_patch_config(config: dict) -> dict:
            config.setdefault('DISABLED_LOCAL_PASSWORD_STORAGE', False)
            config.setdefault('KEYRING_NAME', k_name)

+    config.setdefault('SESSION_COOKIE_PATH', config.get('COOKIE_DEFAULT_PATH'))
+
+    # if a script name is preset, session cookies should go to sub path
+    if 'SCRIPT_NAME' in os.environ and os.environ["SCRIPT_NAME"]:
+        config.update(dict({
+            'APPLICATION_ROOT': os.environ["SCRIPT_NAME"],
+            'SESSION_COOKIE_PATH': os.environ["SCRIPT_NAME"],
+        }))
+
    return config
--- a/web/pgadmin/preferences/init.py
+++ b/web/pgadmin/preferences/init.py
@ -262,7 +262,7 @@ def save():

        setattr(session, 'PGADMIN_LANGUAGE', language)
        response.set_cookie("PGADMIN_LANGUAGE", value=language,
-                            path=config.COOKIE_DEFAULT_PATH,
+                            path=config.SESSION_COOKIE_PATH,
                            secure=config.SESSION_COOKIE_SECURE,
                            httponly=config.SESSION_COOKIE_HTTPONLY,
                            samesite=config.SESSION_COOKIE_SAMESITE,
--- a/web/pgadmin/utils/session.py
+++ b/web/pgadmin/utils/session.py
@ -314,6 +314,7 @@ class ManagedSessionInterface(SessionInterface):
            app.config['SESSION_COOKIE_NAME'],
            '%s!%s' % (session.sid, session.hmac_digest),
            expires=cookie_exp,
+            path=config.SESSION_COOKIE_PATH,
            secure=config.SESSION_COOKIE_SECURE,
            httponly=config.SESSION_COOKIE_HTTPONLY,
            samesite=config.SESSION_COOKIE_SAMESITE,