Don't use an hardcoded session key

[jvoisin]

This fixes a trivial authentication bypass,
according to https://flask.palletsprojects.com/en/1.1.x/quickstart/#sessions

[OzzieIsaacs]

I agree with you, the hardcoded session key isn't good. Your solution leads to an automatic logout after restart of calibre-web.
This is okay so far, except one usecase: If you configure Calibre-Web in admin section there are several configurations, which lead to a reboot of Calibre-Web to apply the new setting (admin.py, functions update_view_configuration and _configuration_update_helper). In this cases you have to login after applying each setting.
I suggest storing the session_key in the app.db on first start of Calibre-Web and using the same session key after each restart. Or to be more secure: Only in cases of an intentional restart the session key is stored in the database, the boot logic loads the session key afterwards, deletes it in the app database. For any other reboots the key isn't stored and after restart of Calibre-Web a new session key is generated.

[jvoisin]

This is tracked as CVE-2020-12627.

[OzzieIsaacs]

@Technosoft2000: There was security problem found in Calibre-Web. I created a release with version 0.6.7 to address the issue. The problem could be avoided in older releases by generating an own session key and providing it to Calibre-Web via environment variable 'SECRET_KEY'

[Technosoft2000]

Thank you for the information @OzzieIsaacs