Reframe session key rotation as expected behavior, not a caveat

A restart generating a new key and invalidating sessions is a
security feature, not a problem. Update docs to present it neutrally.

https://claude.ai/code/session_018iMt5qm4j9bk8wzytLC3E6
This commit is contained in:
Claude
2026-02-27 22:16:44 +00:00
parent bf6b1180de
commit 5ab96df34f
2 changed files with 3 additions and 3 deletions

View File

@@ -25,6 +25,6 @@ LIDARR_QUALITY_PROFILE_ID=1
LIDARR_ROOT_FOLDER=/music LIDARR_ROOT_FOLDER=/music
# App # App
# SESSION_SECRET_KEY is auto-generated if omitted. Set it explicitly so sessions survive restarts. # SESSION_SECRET_KEY is auto-generated if omitted. A new key on every restart invalidates all sessions.
# SESSION_SECRET_KEY= # SESSION_SECRET_KEY=
DATABASE_PATH=bellhop.db DATABASE_PATH=bellhop.db

View File

@@ -114,7 +114,7 @@ Copy the `access_token` from the response.
| Variable | Default | Description | | Variable | Default | Description |
|---|---|---| |---|---|---|
| `SESSION_SECRET_KEY` | _(auto-generated)_ | Secret for signing session cookies. Auto-generated at startup if not set. Set this explicitly in production so sessions survive restarts. | | `SESSION_SECRET_KEY` | _(auto-generated)_ | Secret for signing session cookies. Auto-generated at startup if not set. A new key is generated on every restart, which invalidates all existing sessions. |
| `DATABASE_PATH` | `bellhop.db` | Path to the SQLite database file | | `DATABASE_PATH` | `bellhop.db` | Path to the SQLite database file |
## API Reference ## API Reference
@@ -244,7 +244,7 @@ Bellhop/
### Production Recommendations ### Production Recommendations
- Run behind a reverse proxy (nginx, Caddy, Traefik) with TLS termination so the `secure` cookie flag works. - Run behind a reverse proxy (nginx, Caddy, Traefik) with TLS termination so the `secure` cookie flag works.
- Set `SESSION_SECRET_KEY` explicitly so sessions survive process restarts. - If you want sessions to persist across restarts, set `SESSION_SECRET_KEY` explicitly. Otherwise, all users are logged out on restart.
- Restrict network access to your *arr instances — only the Bellhop container needs to reach them. - Restrict network access to your *arr instances — only the Bellhop container needs to reach them.
- Use a dedicated Matrix bot account for audit logging rather than a personal account. - Use a dedicated Matrix bot account for audit logging rather than a personal account.