Add the Flask-Paranoid module for a little extra, well, paranoia in web mode. Fixes #2584

requirements.txt

@@ -41,3 +41,4 @@ sqlparse==0.1.19
 Werkzeug==0.9.6
 WTForms==2.0.2
 backports.csv==1.0.4; python_version <= '2.7'
+Flask-Paranoid==0.1.0

web/pgadmin/__init__.py

@@ -22,6 +22,7 @@ from flask_security import Security, SQLAlchemyUserDatastore
 from flask_mail import Mail
 from flask_security.utils import login_user
 from werkzeug.datastructures import ImmutableDict
+from flask_paranoid import Paranoid
 
 from pgadmin.utils import PgAdminModule, driver
 from pgadmin.utils.versioned_template_loader import VersionedTemplateLoader
@@ -285,6 +286,11 @@ def create_app(app_name=None):
 
     app.session_interface = create_session_interface(app)
 
+    # Make the Session more secure against XSS & CSRF when running in web mode
+    if config.SERVER_MODE:
+        paranoid = Paranoid(app)
+        paranoid.redirect_view = 'browser.index'
+
     ##########################################################################
     # Load all available server drivers
     ##########################################################################