Fix session cookie name collision when running multiple PIC instances on localhost

Flask's default cookie name ('session') is shared across all ports on the same
hostname. When two PIC instances are accessed via localhost:portA and localhost:portB,
logging into one overwrites the other's session cookie, causing repeated logouts.

Derive a unique 8-hex suffix from each instance's persistent SECRET_KEY and set
SESSION_COOKIE_NAME = 'pic_sess_<suffix>'. This ensures each cell uses a distinct
cookie name, so sessions are fully isolated regardless of hostname.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

api/app.py

@@ -133,6 +133,12 @@ else:
 app.config['SECRET_KEY'] = _flask_secret
 app.config['SESSION_COOKIE_HTTPONLY'] = True
 app.config['SESSION_COOKIE_SAMESITE'] = 'Lax'
+# Each PIC instance has a unique secret key — derive a short suffix from it so
+# multiple instances accessed via the same hostname (e.g. localhost:portA vs
+# localhost:portB) don't share session cookies and log each other out.
+import hashlib as _hl
+_cookie_suffix = _hl.sha256(_flask_secret).hexdigest()[:8]
+app.config['SESSION_COOKIE_NAME'] = f'pic_sess_{_cookie_suffix}'
 
 # config_manager, service_bus, log_manager and all other managers are imported
 # from managers.py above — no re-instantiation needed here.

tests/test_auth_routes.py

@@ -152,7 +152,7 @@ def test_login_success(app_client):
 def test_login_success_sets_session_cookie(app_client):
     r = _login(app_client, 'admin', 'AdminPass123!')
     assert r.status_code == 200
-    assert 'session' in (r.headers.get('Set-Cookie', '') or '')
+    assert 'pic_sess_' in (r.headers.get('Set-Cookie', '') or '')
 
 
 def test_login_wrong_password(app_client):