diff --git a/api/app.py b/api/app.py
index 3a47d04..5886aa8 100644
--- a/api/app.py
+++ b/api/app.py
@@ -133,6 +133,12 @@ else:
 app.config['SECRET_KEY'] = _flask_secret
 app.config['SESSION_COOKIE_HTTPONLY'] = True
 app.config['SESSION_COOKIE_SAMESITE'] = 'Lax'
+# Each PIC instance has a unique secret key — derive a short suffix from it so
+# multiple instances accessed via the same hostname (e.g. localhost:portA vs
+# localhost:portB) don't share session cookies and log each other out.
+import hashlib as _hl
+_cookie_suffix = _hl.sha256(_flask_secret).hexdigest()[:8]
+app.config['SESSION_COOKIE_NAME'] = f'pic_sess_{_cookie_suffix}'
 
 # config_manager, service_bus, log_manager and all other managers are imported
 # from managers.py above — no re-instantiation needed here.
diff --git a/tests/test_auth_routes.py b/tests/test_auth_routes.py
index 54cb2ec..640f6bf 100644
--- a/tests/test_auth_routes.py
+++ b/tests/test_auth_routes.py
@@ -152,7 +152,7 @@ def test_login_success(app_client):
 def test_login_success_sets_session_cookie(app_client):
     r = _login(app_client, 'admin', 'AdminPass123!')
     assert r.status_code == 200
-    assert 'session' in (r.headers.get('Set-Cookie', '') or '')
+    assert 'pic_sess_' in (r.headers.get('Set-Cookie', '') or '')
 
 
 def test_login_wrong_password(app_client):