Use COOKIE_DEFAULT_PATH or SCRIPT_NAME in session cookie path. #6557

Author: adityatoshniwal

web/pgadmin/__init__.py

@@ -496,11 +496,6 @@ def run_migration_for_others():
         'SECURITY_EMAIL_VALIDATOR_ARGS': config.SECURITY_EMAIL_VALIDATOR_ARGS
     }))
 
-    if 'SCRIPT_NAME' in os.environ and os.environ["SCRIPT_NAME"]:
-        app.config.update(dict({
-            'APPLICATION_ROOT': os.environ["SCRIPT_NAME"]
-        }))
-
     app.config.update(dict({
         'INTERNAL': INTERNAL,
         'LDAP': LDAP,
@@ -833,7 +828,7 @@ def after_request(response):
                     config.COOKIE_DEFAULT_DOMAIN != 'localhost':
                 domain['domain'] = config.COOKIE_DEFAULT_DOMAIN
             response.set_cookie('PGADMIN_INT_KEY', value=request.args['key'],
-                                path=config.COOKIE_DEFAULT_PATH,
+                                path=config.SESSION_COOKIE_PATH,
                                 secure=config.SESSION_COOKIE_SECURE,
                                 httponly=config.SESSION_COOKIE_HTTPONLY,
                                 samesite=config.SESSION_COOKIE_SAMESITE,

web/pgadmin/browser/__init__.py

@@ -422,7 +422,7 @@ def index():
         domain['domain'] = config.COOKIE_DEFAULT_DOMAIN
 
     response.set_cookie("PGADMIN_LANGUAGE", value=language,
-                        path=config.COOKIE_DEFAULT_PATH,
+                        path=config.SESSION_COOKIE_PATH,
                         secure=config.SESSION_COOKIE_SECURE,
                         httponly=config.SESSION_COOKIE_HTTPONLY,
                         samesite=config.SESSION_COOKIE_SAMESITE,

web/pgadmin/evaluate_config.py

@@ -127,4 +127,13 @@ def evaluate_and_patch_config(config: dict) -> dict:
             config.setdefault('DISABLED_LOCAL_PASSWORD_STORAGE', False)
             config.setdefault('KEYRING_NAME', k_name)
 
+    config.setdefault('SESSION_COOKIE_PATH', config.get('COOKIE_DEFAULT_PATH'))
+
+    # if a script name is preset, session cookies should go to sub path
+    if 'SCRIPT_NAME' in os.environ and os.environ["SCRIPT_NAME"]:
+        config.update(dict({
+            'APPLICATION_ROOT': os.environ["SCRIPT_NAME"],
+            'SESSION_COOKIE_PATH': os.environ["SCRIPT_NAME"],
+        }))
+
     return config

web/pgadmin/preferences/__init__.py

@@ -262,7 +262,7 @@ def save():
 
         setattr(session, 'PGADMIN_LANGUAGE', language)
         response.set_cookie("PGADMIN_LANGUAGE", value=language,
-                            path=config.COOKIE_DEFAULT_PATH,
+                            path=config.SESSION_COOKIE_PATH,
                             secure=config.SESSION_COOKIE_SECURE,
                             httponly=config.SESSION_COOKIE_HTTPONLY,
                             samesite=config.SESSION_COOKIE_SAMESITE,

web/pgadmin/utils/session.py

@@ -314,6 +314,7 @@ def save_session(self, app, session, response):
             app.config['SESSION_COOKIE_NAME'],
             '%s!%s' % (session.sid, session.hmac_digest),
             expires=cookie_exp,
+            path=config.SESSION_COOKIE_PATH,
             secure=config.SESSION_COOKIE_SECURE,
             httponly=config.SESSION_COOKIE_HTTPONLY,
             samesite=config.SESSION_COOKIE_SAMESITE,