From ac0c16c97be48455d85e81b81f1a6b854d726576 Mon Sep 17 00:00:00 2001 From: Dmitrii Iurco Date: Mon, 4 May 2026 09:15:42 -0400 Subject: [PATCH] Fix session cookie name collision when running multiple PIC instances on localhost Flask's default cookie name ('session') is shared across all ports on the same hostname. When two PIC instances are accessed via localhost:portA and localhost:portB, logging into one overwrites the other's session cookie, causing repeated logouts. Derive a unique 8-hex suffix from each instance's persistent SECRET_KEY and set SESSION_COOKIE_NAME = 'pic_sess_'. This ensures each cell uses a distinct cookie name, so sessions are fully isolated regardless of hostname. Co-Authored-By: Claude Sonnet 4.6 --- api/app.py | 6 ++++++ tests/test_auth_routes.py | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/api/app.py b/api/app.py index 3a47d04..5886aa8 100644 --- a/api/app.py +++ b/api/app.py @@ -133,6 +133,12 @@ else: app.config['SECRET_KEY'] = _flask_secret app.config['SESSION_COOKIE_HTTPONLY'] = True app.config['SESSION_COOKIE_SAMESITE'] = 'Lax' +# Each PIC instance has a unique secret key — derive a short suffix from it so +# multiple instances accessed via the same hostname (e.g. localhost:portA vs +# localhost:portB) don't share session cookies and log each other out. +import hashlib as _hl +_cookie_suffix = _hl.sha256(_flask_secret).hexdigest()[:8] +app.config['SESSION_COOKIE_NAME'] = f'pic_sess_{_cookie_suffix}' # config_manager, service_bus, log_manager and all other managers are imported # from managers.py above — no re-instantiation needed here. diff --git a/tests/test_auth_routes.py b/tests/test_auth_routes.py index 54cb2ec..640f6bf 100644 --- a/tests/test_auth_routes.py +++ b/tests/test_auth_routes.py @@ -152,7 +152,7 @@ def test_login_success(app_client): def test_login_success_sets_session_cookie(app_client): r = _login(app_client, 'admin', 'AdminPass123!') assert r.status_code == 200 - assert 'session' in (r.headers.get('Set-Cookie', '') or '') + assert 'pic_sess_' in (r.headers.get('Set-Cookie', '') or '') def test_login_wrong_password(app_client):