From e147d4f670453a502a077fc2d9a54a3dd51a09b1 Mon Sep 17 00:00:00 2001
From: Stefan Hacker <duffy@debian-linux-terminal.local>
Date: Thu, 9 Apr 2026 16:10:21 +0200
Subject: [PATCH] Fix session loss by using stable secret key

Derive secret_key from credentials instead of random generation,
so sessions survive container restarts and work across workers.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 app/app.py | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/app/app.py b/app/app.py
index 489a92f..0613c06 100644
--- a/app/app.py
+++ b/app/app.py
@@ -1,6 +1,6 @@
+import hashlib
 import json
 import os
-import secrets
 import subprocess
 from functools import wraps
 from pathlib import Path
@@ -9,7 +9,12 @@ from flask import (Flask, jsonify, redirect, render_template, request,
                    send_file, session, url_for)
 
 app = Flask(__name__)
-app.secret_key = os.environ.get("SECRET_KEY", secrets.token_hex(32))
+
+# Stable secret key: derive from username+password so it survives restarts
+# but changes when credentials change
+_username = os.environ.get("WEBUI_USERNAME", "admin")
+_password = os.environ.get("WEBUI_PASSWORD", "admin123")
+app.secret_key = hashlib.sha256(f"{_username}:{_password}:proxy-secret".encode()).hexdigest()
 
 CONFIG_FILE = "/data/proxy_config.json"
 NGINX_CONF_DIR = "/etc/nginx/conf.d"