Fix session loss by using stable secret key

Derive secret_key from credentials instead of random generation,
so sessions survive container restarts and work across workers.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

app/app.py

@@ -1,6 +1,6 @@
+import hashlib
 import json
 import os
-import secrets
 import subprocess
 from functools import wraps
 from pathlib import Path
@@ -9,7 +9,12 @@ from flask import (Flask, jsonify, redirect, render_template, request,
                    send_file, session, url_for)
 
 app = Flask(__name__)
-app.secret_key = os.environ.get("SECRET_KEY", secrets.token_hex(32))
+
+# Stable secret key: derive from username+password so it survives restarts
+# but changes when credentials change
+_username = os.environ.get("WEBUI_USERNAME", "admin")
+_password = os.environ.get("WEBUI_PASSWORD", "admin123")
+app.secret_key = hashlib.sha256(f"{_username}:{_password}:proxy-secret".encode()).hexdigest()
 
 CONFIG_FILE = "/data/proxy_config.json"
 NGINX_CONF_DIR = "/etc/nginx/conf.d"