Fix session config and add debug logging

config.py

@@ -9,11 +9,13 @@ if not os.environ.get('RENDER') and not os.environ.get('SPACE_ID'):
 # Set Flask app for CLI commands (needed for flask db upgrade)
 os.environ.setdefault('FLASK_APP', 'run.py')
 
-# Check if running in production (Render or HF Spaces)
-IS_PRODUCTION = os.environ.get('RENDER') or os.environ.get('SPACE_ID')
-
 class Config:
-    SECRET_KEY = os.environ.get('FLASK_SECRET_KEY') or os.environ.get('SECRET_KEY') or 'dev-secret-key-change-in-production-2024'
+    # Check if running in production (Render or HF Spaces)
+    IS_PRODUCTION = bool(os.environ.get('RENDER') or os.environ.get('SPACE_ID'))
+    
+    # SECRET_KEY is CRITICAL for sessions and CSRF
+    SECRET_KEY = os.environ.get('SECRET_KEY') or os.environ.get('FLASK_SECRET_KEY') or 'dev-secret-key-change-in-production-2024'
+    
     SQLALCHEMY_DATABASE_URI = os.environ.get('DATABASE_URL') or \
         'sqlite:///' + os.path.join(basedir, 'instance', 'app.db')
     SQLALCHEMY_TRACK_MODIFICATIONS = False
@@ -21,25 +23,17 @@ class Config:
     # WTF CSRF Settings
     WTF_CSRF_ENABLED = True
     WTF_CSRF_TIME_LIMIT = 3600  # 1 hour token validity
-    WTF_CSRF_SSL_STRICT = False  # Allow CSRF over HTTP for development
+    WTF_CSRF_SSL_STRICT = False  # Don't require HTTPS for CSRF
 
-    # Session configuration
+    # Session configuration - CRITICAL for CSRF to work
     SESSION_COOKIE_HTTPONLY = True
-    SESSION_COOKIE_SAMESITE = 'Lax'  # Default for local development
+    SESSION_COOKIE_SAMESITE = 'Lax'
     PERMANENT_SESSION_LIFETIME = 7200  # 2 hours
-    SESSION_REFRESH_EACH_REQUEST = True  # Refresh session on each request
-    SESSION_USE_SIGNER = True  # Sign session cookies for security
-    SESSION_COOKIE_NAME = 'learning_path_session'  # Custom session cookie name
+    SESSION_COOKIE_NAME = 'learning_path_session'
     
-    # Ensure cookies work with OAuth redirects in production
-    if IS_PRODUCTION:
-        SESSION_COOKIE_SECURE = True       # Cookie only over HTTPS
-        SESSION_COOKIE_SAMESITE = 'Lax'    # Lax works better for same-site forms
-        REMEMBER_COOKIE_SECURE = True
-        REMEMBER_COOKIE_SAMESITE = 'Lax'
-    else:
-        # Local development - allow HTTP cookies
-        SESSION_COOKIE_SECURE = False
-        REMEMBER_COOKIE_SECURE = False
+    # Production settings (HF Spaces uses HTTPS)
+    SESSION_COOKIE_SECURE = IS_PRODUCTION  # True for HTTPS, False for HTTP
+    REMEMBER_COOKIE_SECURE = IS_PRODUCTION
+    REMEMBER_COOKIE_SAMESITE = 'Lax'
         
     LOG_TO_STDOUT = os.environ.get('LOG_TO_STDOUT')

start.sh

@@ -6,11 +6,23 @@ echo "=== Starting AI Learning Path Generator ==="
 # Set Flask app for migrations
 export FLASK_APP=web_app:create_app
 
+# Debug: Check if SECRET_KEY is set
+if [ -z "$SECRET_KEY" ]; then
+    echo "WARNING: SECRET_KEY is not set! Sessions/CSRF will not work properly."
+else
+    echo "SECRET_KEY is configured (length: ${#SECRET_KEY})"
+fi
+
 # Initialize database if it doesn't exist
 echo "Initializing database..."
 python -c "
 from web_app import create_app
 from web_app.models import db
+from config import Config
+
+print(f'SECRET_KEY set: {bool(Config.SECRET_KEY)}')
+print(f'IS_PRODUCTION: {Config.IS_PRODUCTION}')
+print(f'SESSION_COOKIE_SECURE: {Config.SESSION_COOKIE_SECURE}')
 
 app = create_app()
 with app.app_context():