From ee8fec6d7fbcfe529fa9b6e7dbf8e1fd95a71ba6 Mon Sep 17 00:00:00 2001
From: Murtuza Zabuawala <murtuza.zabuawala@enterprisedb.com>
Date: Tue, 6 Aug 2019 09:21:31 +0100
Subject: [PATCH] Allow enhanced cookie protection to be disabled for
 compatibility with dynamically addressed hosting environments. Fixes #4566

---
 docs/en_US/release_notes_4_12.rst |  1 +
 web/config.py                     | 10 ++++++++++
 web/pgadmin/__init__.py           |  2 +-
 3 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/docs/en_US/release_notes_4_12.rst b/docs/en_US/release_notes_4_12.rst
index eb7ea8ef4..0e6a12aaa 100644
--- a/docs/en_US/release_notes_4_12.rst
+++ b/docs/en_US/release_notes_4_12.rst
@@ -13,6 +13,7 @@ New features
 | `Issue #4334 <https://redmine.postgresql.org/issues/4334>`_ -  Add support for generated columns in Postgres 12+.
 | `Issue #4540 <https://redmine.postgresql.org/issues/4540>`_ -  Use the full tab space for CodeMirror instances on dialogues where appropriate.
 | `Issue #4549 <https://redmine.postgresql.org/issues/4549>`_ -  Allow a banner to be displayed on the login and other related pages showing custom text.
+| `Issue #4566 <https://redmine.postgresql.org/issues/4566>`_ -  Allow enhanced cookie protection to be disabled for compatibility with dynamically addressed hosting environments.
 
 Housekeeping
 ************
diff --git a/web/config.py b/web/config.py
index 6905ac609..64ff1c6fb 100644
--- a/web/config.py
+++ b/web/config.py
@@ -432,6 +432,16 @@ ALLOW_SAVE_TUNNEL_PASSWORD = False
 ##########################################################################
 MASTER_PASSWORD_REQUIRED = True
 
+##########################################################################
+# Allows pgAdmin4 to create session cookies based on IP address, so even
+# if a cookie is stolen, the attacker will not be able to connect to the
+# server using that stolen cookie.
+# Note: This can cause problems when the server is deployed in dynamic IP
+# address hosting environments, such as Kubernetes or behind load
+# balancers. In such cases, this option should be set to False.
+##########################################################################
+ENHANCED_COOKIE_PROTECTION = True
+
 ##########################################################################
 # Local config settings
 ##########################################################################
diff --git a/web/pgadmin/__init__.py b/web/pgadmin/__init__.py
index baf0ca307..94201abf9 100644
--- a/web/pgadmin/__init__.py
+++ b/web/pgadmin/__init__.py
@@ -390,7 +390,7 @@ def create_app(app_name=None):
     )
 
     # Make the Session more secure against XSS & CSRF when running in web mode
-    if config.SERVER_MODE:
+    if config.SERVER_MODE and config.ENHANCED_COOKIE_PROTECTION:
         paranoid = Paranoid(app)
         paranoid.redirect_view = 'browser.index'