From 6282d1a02f75190f202d3e460a623952ae17515c Mon Sep 17 00:00:00 2001
From: Stiftung Development <admin@stiftung-project.local>
Date: Sun, 21 Sep 2025 22:44:31 +0200
Subject: [PATCH] Implement session cookie isolation between Django apps

- Added configurable SESSION_COOKIE_NAME and CSRF_COOKIE_NAME to Django settings
- Main app now uses 'stiftung_sessionid' instead of default 'sessionid'
- Paperless continues using default 'sessionid' for separation
- All configuration centralized in .env files as requested
- Updated both development and production compose configurations
- Added session settings to env templates for easy deployment

This resolves the session conflict where logging into one app would
kick out sessions from the other app. Both applications now maintain
independent login sessions.
---
 app/core/settings.py                   |  4 ++++
 compose.dev.yml                        |  2 ++
 compose.yml                            |  2 ++
 env-production.template                |  4 ++++
 env-template.txt                       |  4 ++++
 paperless/paperless_custom_settings.py | 18 ++++++++++++++++++
 6 files changed, 34 insertions(+)
 create mode 100644 paperless/paperless_custom_settings.py

diff --git a/app/core/settings.py b/app/core/settings.py
index 278319c..4d1d3ed 100644
--- a/app/core/settings.py
+++ b/app/core/settings.py
@@ -120,6 +120,10 @@ GRAMPS_STIFTER_IDS = os.environ.get("GRAMPS_STIFTER_IDS", "")  # comma-separated
 GRAMPS_USERNAME = os.environ.get("GRAMPS_USERNAME", "")
 GRAMPS_PASSWORD = os.environ.get("GRAMPS_PASSWORD", "")
 
+# Session Configuration
+SESSION_COOKIE_NAME = os.environ.get("SESSION_COOKIE_NAME", "stiftung_sessionid")
+CSRF_COOKIE_NAME = os.environ.get("CSRF_COOKIE_NAME", "stiftung_csrftoken")
+
 # HTTPS Security Settings (production)
 if not DEBUG:
     SECURE_SSL_REDIRECT = True
diff --git a/compose.dev.yml b/compose.dev.yml
index bebced6..7c4b54f 100644
--- a/compose.dev.yml
+++ b/compose.dev.yml
@@ -39,6 +39,8 @@ services:
       - LANGUAGE_CODE=de
       - TIME_ZONE=Europe/Berlin
       - REDIS_URL=redis://redis:6379/0
+      - SESSION_COOKIE_NAME=stiftung_sessionid
+      - CSRF_COOKIE_NAME=stiftung_csrftoken
       - PAPERLESS_API_URL=http://paperless:8000
       - PAPERLESS_API_TOKEN=d477152aca264ea00620910ac09a06f0a4faaecc
       - PAPERLESS_REQUIRED_TAG=Stiftung_Destinatäre
diff --git a/compose.yml b/compose.yml
index 81df2a6..7cdec98 100644
--- a/compose.yml
+++ b/compose.yml
@@ -43,6 +43,8 @@ services:
       - LANGUAGE_CODE=${LANGUAGE_CODE}
       - TIME_ZONE=${TIME_ZONE}
       - REDIS_URL=${REDIS_URL}
+      - SESSION_COOKIE_NAME=${SESSION_COOKIE_NAME}
+      - CSRF_COOKIE_NAME=${CSRF_COOKIE_NAME}
       - PAPERLESS_API_URL=${PAPERLESS_API_URL}
       - PAPERLESS_API_TOKEN=${PAPERLESS_API_TOKEN}
       - PAPERLESS_REQUIRED_TAG=${PAPERLESS_REQUIRED_TAG}
diff --git a/env-production.template b/env-production.template
index 32b99c2..087a379 100644
--- a/env-production.template
+++ b/env-production.template
@@ -28,6 +28,10 @@ DJANGO_ALLOWED_HOSTS=www.vhtv-stiftung.de,vhtv-stiftung.de
 LANGUAGE_CODE=de-de
 TIME_ZONE=Europe/Berlin
 
+# SESSION CONFIGURATION (prevents conflicts between apps)
+SESSION_COOKIE_NAME=stiftung_sessionid
+CSRF_COOKIE_NAME=stiftung_csrftoken
+
 # REDIS CONFIGURATION
 REDIS_URL=redis://redis:6379/0
 
diff --git a/env-template.txt b/env-template.txt
index f00bc72..9cfff8c 100644
--- a/env-template.txt
+++ b/env-template.txt
@@ -17,6 +17,10 @@ DJANGO_ALLOWED_HOSTS=localhost,127.0.0.1
 LANGUAGE_CODE=de
 TIME_ZONE=Europe/Berlin
 
+# Session Configuration (prevents conflicts between apps)
+SESSION_COOKIE_NAME=stiftung_sessionid
+CSRF_COOKIE_NAME=stiftung_csrftoken
+
 # Redis Configuration
 REDIS_URL=redis://redis:6379/0
 
diff --git a/paperless/paperless_custom_settings.py b/paperless/paperless_custom_settings.py
new file mode 100644
index 0000000..750de13
--- /dev/null
+++ b/paperless/paperless_custom_settings.py
@@ -0,0 +1,18 @@
+# Paperless NGX session isolation configuration
+# This file overrides default session settings to prevent conflicts with other Django apps
+
+import os
+from paperless.settings import *
+
+# Override session cookie name to prevent conflicts with main Django app
+SESSION_COOKIE_NAME = 'paperless_sessionid'
+
+# Also change CSRF cookie name for good measure
+CSRF_COOKIE_NAME = 'paperless_csrftoken'
+
+# Ensure cookies are scoped to avoid conflicts
+SESSION_COOKIE_PATH = '/'
+CSRF_COOKIE_PATH = '/'
+
+# Different secret key salt to ensure session isolation
+SESSION_COOKIE_SALT = 'paperless.sessions'
\ No newline at end of file