Allow enhanced cookie protection to be disabled for compatibility with dynamically addressed hosting environments. Fixes #4566

web/config.py

@@ -432,6 +432,16 @@ ALLOW_SAVE_TUNNEL_PASSWORD = False
 ##########################################################################
 MASTER_PASSWORD_REQUIRED = True
 
+##########################################################################
+# Allows pgAdmin4 to create session cookies based on IP address, so even
+# if a cookie is stolen, the attacker will not be able to connect to the
+# server using that stolen cookie.
+# Note: This can cause problems when the server is deployed in dynamic IP
+# address hosting environments, such as Kubernetes or behind load
+# balancers. In such cases, this option should be set to False.
+##########################################################################
+ENHANCED_COOKIE_PROTECTION = True
+
 ##########################################################################
 # Local config settings
 ##########################################################################

web/pgadmin/__init__.py

@@ -390,7 +390,7 @@ def create_app(app_name=None):
     )
 
     # Make the Session more secure against XSS & CSRF when running in web mode
-    if config.SERVER_MODE:
+    if config.SERVER_MODE and config.ENHANCED_COOKIE_PROTECTION:
         paranoid = Paranoid(app)
         paranoid.redirect_view = 'browser.index'