Complete session fix for Hugging Face deployment

app.py

@@ -1,5 +1,4 @@
 from flask import Flask, render_template, request, redirect, url_for, flash, session, jsonify
-from flask_session import Session
 from werkzeug.middleware.proxy_fix import ProxyFix
 import os
 import gc
@@ -43,19 +42,20 @@ load_dotenv()
 # Initialize Flask app
 app = Flask(__name__, static_folder='app/static', template_folder='app/templates')
 
-# CRITICAL FIX: Set consistent SECRET_KEY
-app.secret_key = os.environ.get('SECRET_KEY', 'your-very-secure-secret-key-change-in-production')
+# CRITICAL FIX: Enhanced secret key and session config for Hugging Face
+app.secret_key = os.environ.get('SECRET_KEY', 'huggingface-face-recognition-super-secret-key-2025')
 
-# CRITICAL FIX: Use Flask's built-in signed cookie sessions
+# CRITICAL FIX: Optimized session config for Hugging Face Spaces
 app.config.update({
     'PERMANENT_SESSION_LIFETIME': timedelta(hours=2),
-    'SESSION_COOKIE_NAME': 'session',
+    'SESSION_COOKIE_NAME': 'face_app_session',
     'SESSION_COOKIE_HTTPONLY': True,
-    'SESSION_COOKIE_SECURE': False,
-    'SESSION_COOKIE_SAMESITE': 'Lax',
-    'SESSION_REFRESH_EACH_REQUEST': True,
+    'SESSION_COOKIE_SECURE': False,  # Hugging Face uses HTTP internally
+    'SESSION_COOKIE_SAMESITE': None,  # Critical for Hugging Face iframe
+    'SESSION_REFRESH_EACH_REQUEST': False,  # Prevent session reset
     'SESSION_COOKIE_DOMAIN': None,
-    'SESSION_COOKIE_PATH': '/'
+    'SESSION_COOKIE_PATH': '/',
+    'SEND_FILE_MAX_AGE_DEFAULT': 0  # Disable caching
 })
 
 # CRITICAL FIX: Add ProxyFix middleware for Hugging Face reverse proxy
@@ -69,7 +69,6 @@ app.wsgi_app = ProxyFix(
 
 print("Flask app initialized with ProxyFix middleware and built-in cookie sessions")
 
-
 # Create temporary directory for image processing
 TEMP_DIR = tempfile.mkdtemp()
 
@@ -561,6 +560,8 @@ def login():
         
         print(f"=== LOGIN DEBUG ===")
         print(f"Student ID: {student_id}")
+        print(f"Request headers: {dict(request.headers)}")
+        print(f"User-Agent: {request.headers.get('User-Agent', 'N/A')}")
         
         if not student_id or not password:
             flash('Student ID and password are required.', 'danger')
@@ -570,18 +571,34 @@ def login():
         print(f"Student found: {bool(student)}")
         
         if student and student.get('password') == password:
-            # CRITICAL FIX: Simplified session setting
+            # CRITICAL FIX: Clear and set session with permanent flag
             session.clear()
+            session.permanent = True  # Make session permanent FIRST
+            
             session['logged_in'] = True
             session['user_type'] = 'student'
             session['student_id'] = student_id
             session['name'] = student.get('name', 'Unknown')
+            session['login_time'] = datetime.now().isoformat()
             
             print(f"Session after setting: {dict(session)}")
+            print(f"Session permanent: {session.permanent}")
+            print(f"Session modified: {session.modified}")
+            
             flash('Login successful!', 'success')
             
-            # Direct redirect without manual session saving
-            return redirect(url_for('dashboard'))
+            # Create response and explicitly save session
+            response = redirect(url_for('dashboard'))
+            
+            # Add session cookie headers manually for debugging
+            response.set_cookie(
+                'debug_session', 
+                f"logged_in_at_{int(datetime.now().timestamp())}", 
+                max_age=3600,
+                httponly=False
+            )
+            
+            return response
         else:
             print("Invalid credentials")
             flash('Invalid credentials. Please try again.', 'danger')
@@ -592,7 +609,6 @@ def login():
         flash(f'Login failed: {str(e)}', 'danger')
         return redirect(url_for('login_page'))
 
-
 @app.route('/face-login', methods=['POST'])
 def face_login():
     try:
@@ -647,10 +663,12 @@ def face_login():
                     if result["verified"]:
                         # CRITICAL FIX: Simplified session setting
                         session.clear()
+                        session.permanent = True
                         session['logged_in'] = True
                         session['user_type'] = face_role
                         session[id_field] = user[id_field]
                         session['name'] = user.get('name', 'Unknown')
+                        session['login_time'] = datetime.now().isoformat()
                         
                         print(f"Face login successful for {user.get('name')}, Session: {dict(session)}")
                         flash('Face login successful!', 'success')
@@ -689,7 +707,6 @@ def face_login():
         flash(f'Face login failed: {str(e)}', 'danger')
         return redirect(url_for('login_page'))
 
-
 @app.route('/auto-face-login', methods=['POST'])
 def auto_face_login():
     """Enhanced auto face login with role support"""
@@ -740,14 +757,12 @@ def auto_face_login():
                     if result["verified"]:
                         # Clear any existing session
                         session.clear()
-                        
-                        # Set session variables with Flask-Session
+                        session.permanent = True
                         session['logged_in'] = True
                         session['user_type'] = face_role
                         session[id_field] = user[id_field]
                         session['name'] = user.get('name', 'Unknown')
-                        session.permanent = True
-                        session.modified = True
+                        session['login_time'] = datetime.now().isoformat()
                         
                         print(f"Auto face login successful for {user.get('name')}, Session: {dict(session)}")
                         
@@ -797,25 +812,33 @@ def attendance_page():
 @app.route('/dashboard')
 def dashboard():
     print(f"=== DASHBOARD DEBUG ===")
+    print(f"Request headers: {dict(request.headers)}")
+    print(f"Request cookies: {dict(request.cookies)}")
     print(f"Session data: {dict(session)}")
     print(f"Session keys: {list(session.keys())}")
+    print(f"Session permanent: {getattr(session, 'permanent', 'N/A')}")
+    print(f"Session modified: {getattr(session, 'modified', 'N/A')}")
+    print(f"User-Agent: {request.headers.get('User-Agent', 'N/A')}")
     
-    # Check session data
+    # Check each session key individually
     logged_in = session.get('logged_in')
     user_type = session.get('user_type')
+    student_id = session.get('student_id')
     
     print(f"logged_in: {logged_in} (type: {type(logged_in)})")
     print(f"user_type: {user_type} (type: {type(user_type)})")
+    print(f"student_id: {student_id} (type: {type(student_id)})")
     
     if not logged_in or user_type != 'student':
         print("=== SESSION CHECK FAILED ===")
+        print("Possible causes:")
+        print("1. Session cookie not being sent")
+        print("2. Session data not persisting") 
+        print("3. Different user agents between requests")
         flash('Please log in to access the dashboard.', 'info')
         return redirect(url_for('login_page'))
     
     try:
-        student_id = session.get('student_id')
-        print(f"Loading dashboard for student: {student_id}")
-        
         student = students_collection.find_one({'student_id': student_id})
         if not student:
             print("Student not found in database")
@@ -840,24 +863,6 @@ def dashboard():
         flash(f'Error loading dashboard: {str(e)}', 'danger')
         return redirect(url_for('login_page'))
 
-        
-        # Process face image if exists
-        if student and 'face_image' in student and student['face_image']:
-            face_image_base64 = base64.b64encode(student['face_image']).decode('utf-8')
-            mime_type = student.get('face_image_type', 'image/jpeg')
-            student['face_image_url'] = f"data:{mime_type};base64,{face_image_base64}"
-        
-        # Get attendance records
-        attendance_records = list(attendance_collection.find({'student_id': student_id}).sort('date', -1))
-        
-        print(f"Dashboard loaded successfully for {student.get('name')}")
-        return render_template('dashboard.html', student=student, attendance_records=attendance_records)
-        
-    except Exception as e:
-        print(f"Dashboard error: {e}")
-        flash(f'Error loading dashboard: {str(e)}', 'danger')
-        return redirect(url_for('login_page'))
-
 @app.route('/mark-attendance', methods=['POST'])
 def mark_attendance():
     if 'logged_in' not in session or session.get('user_type') != 'student':
@@ -1170,14 +1175,12 @@ def teacher_login():
         if teacher and teacher.get('password') == password:
             # Clear any existing session
             session.clear()
-            
-            # Set session variables with Flask-Session
+            session.permanent = True
             session['logged_in'] = True
             session['user_type'] = 'teacher'
             session['teacher_id'] = teacher_id
             session['name'] = teacher.get('name', 'Unknown')
-            session.permanent = True
-            session.modified = True
+            session['login_time'] = datetime.now().isoformat()
             
             print(f"Teacher session set: {dict(session)}")
             flash('Login successful!', 'success')
@@ -1331,7 +1334,7 @@ def health_check():
         'status': 'healthy',
         'platform': 'hugging_face',
         'session_working': bool(session.get('logged_in')),
-        'session_storage': app.config['SESSION_TYPE'],
+        'session_storage': 'built-in_cookies',  # Fixed: removed SESSION_TYPE reference
         'proxy_fix': 'enabled',
         'session_keys': list(session.keys()),
         'timestamp': datetime.now().isoformat()
@@ -1344,13 +1347,28 @@ def debug_session():
         'session_keys': list(session.keys()),
         'cookies': dict(request.cookies),
         'headers': dict(request.headers),
-        'session_type': app.config['SESSION_TYPE'],
-        'session_dir': app.config['SESSION_FILE_DIR'],
+        'session_storage': 'built-in_cookies',
         'proxy_fix': 'enabled',
         'session_modified': getattr(session, 'modified', 'N/A'),
         'session_permanent': getattr(session, 'permanent', 'N/A')
     })
 
+@app.route('/debug-session-detailed')
+def debug_session_detailed():
+    return jsonify({
+        'session_data': dict(session),
+        'session_keys': list(session.keys()),
+        'cookies_received': dict(request.cookies),
+        'headers': dict(request.headers),
+        'user_agent': request.headers.get('User-Agent'),
+        'remote_addr': request.remote_addr,
+        'session_permanent': getattr(session, 'permanent', 'N/A'),
+        'session_modified': getattr(session, 'modified', 'N/A'),
+        'flask_secret_key_length': len(app.secret_key),
+        'session_interface_type': str(type(app.session_interface)),
+        'timestamp': datetime.now().isoformat()
+    })
+
 @app.route('/test-session')
 def test_session():
     """Test session functionality"""
@@ -1358,7 +1376,6 @@ def test_session():
     session['test_data'] = 'working'
     session['timestamp'] = datetime.now().isoformat()
     session.permanent = True
-    session.modified = True
     
     return jsonify({
         'message': 'Session test completed',
@@ -1378,5 +1395,5 @@ def manual_cleanup():
 # MAIN APPLICATION ENTRY POINT
 if __name__ == '__main__':
     port = int(os.environ.get('PORT', 7860))  # Hugging Face uses port 7860
-    print(f"Starting Flask app on port {port} with ProxyFix middleware and Flask-Session")
+    print(f"Starting Flask app on port {port} with ProxyFix middleware and built-in sessions")
     app.run(host='0.0.0.0', port=port, debug=False)