From 64f3a559abadd62b9c49b78e1a937191fb0253ef Mon Sep 17 00:00:00 2001
From: Murtuza Zabuawala <murtuza.zabuawala@enterprisedb.com>
Date: Thu, 20 Jul 2017 18:04:33 +0100
Subject: [PATCH] Add the Flask-Paranoid module for a little extra, well,
 paranoia in web mode. Fixes #2584

---
 requirements.txt        | 1 +
 web/pgadmin/__init__.py | 6 ++++++
 2 files changed, 7 insertions(+)

diff --git a/requirements.txt b/requirements.txt
index cc00a8d69..9baf999b2 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -41,3 +41,4 @@ sqlparse==0.1.19
 Werkzeug==0.9.6
 WTForms==2.0.2
 backports.csv==1.0.4; python_version <= '2.7'
+Flask-Paranoid==0.1.0
diff --git a/web/pgadmin/__init__.py b/web/pgadmin/__init__.py
index 86ee80d56..49c4fdd48 100644
--- a/web/pgadmin/__init__.py
+++ b/web/pgadmin/__init__.py
@@ -22,6 +22,7 @@ from flask_security import Security, SQLAlchemyUserDatastore
 from flask_mail import Mail
 from flask_security.utils import login_user
 from werkzeug.datastructures import ImmutableDict
+from flask_paranoid import Paranoid
 
 from pgadmin.utils import PgAdminModule, driver
 from pgadmin.utils.versioned_template_loader import VersionedTemplateLoader
@@ -285,6 +286,11 @@ def create_app(app_name=None):
 
     app.session_interface = create_session_interface(app)
 
+    # Make the Session more secure against XSS & CSRF when running in web mode
+    if config.SERVER_MODE:
+        paranoid = Paranoid(app)
+        paranoid.redirect_view = 'browser.index'
+
     ##########################################################################
     # Load all available server drivers
     ##########################################################################