FlowiseAI · chungyau97 · Nov 10, 2025 · Nov 10, 2025
diff --git a/docker/.env.example b/docker/.env.example
@@ -100,7 +100,7 @@ JWT_AUDIENCE='AUDIENCE'
 JWT_TOKEN_EXPIRY_IN_MINUTES=360
 JWT_REFRESH_TOKEN_EXPIRY_IN_MINUTES=43200
 # EXPIRE_AUTH_TOKENS_ON_RESTART=true # (if you need to expire all tokens on app restart)
-# EXPRESS_SESSION_SECRET=flowise
+# EXPRESS_SESSION_SECRET='54aca090d4764d05d8dfa8bccbdaede143617bda9dc23c67079422803566130f'
 # SECURE_COOKIES=
 
 # INVITE_TOKEN_EXPIRY_IN_HOURS=24

diff --git a/docker/worker/.env.example b/docker/worker/.env.example
@@ -100,7 +100,7 @@ JWT_AUDIENCE='AUDIENCE'
 JWT_TOKEN_EXPIRY_IN_MINUTES=360
 JWT_REFRESH_TOKEN_EXPIRY_IN_MINUTES=43200
 # EXPIRE_AUTH_TOKENS_ON_RESTART=true # (if you need to expire all tokens on app restart)
-# EXPRESS_SESSION_SECRET=flowise
+# EXPRESS_SESSION_SECRET='54aca090d4764d05d8dfa8bccbdaede143617bda9dc23c67079422803566130f'
 # SECURE_COOKIES=
 
 # INVITE_TOKEN_EXPIRY_IN_HOURS=24

diff --git a/packages/server/.env.example b/packages/server/.env.example
@@ -100,7 +100,7 @@ JWT_AUDIENCE='AUDIENCE'
 JWT_TOKEN_EXPIRY_IN_MINUTES=360
 JWT_REFRESH_TOKEN_EXPIRY_IN_MINUTES=43200
 # EXPIRE_AUTH_TOKENS_ON_RESTART=true # (if you need to expire all tokens on app restart)
-# EXPRESS_SESSION_SECRET=flowise
+# EXPRESS_SESSION_SECRET='54aca090d4764d05d8dfa8bccbdaede143617bda9dc23c67079422803566130f'
 # SECURE_COOKIES=
 
 # INVITE_TOKEN_EXPIRY_IN_HOURS=24

diff --git a/packages/server/src/enterprise/middleware/passport/index.ts b/packages/server/src/enterprise/middleware/passport/index.ts
@@ -6,9 +6,11 @@ import { StatusCodes } from 'http-status-codes'
 import jwt, { JwtPayload, sign } from 'jsonwebtoken'
 import passport from 'passport'
 import { VerifiedCallback } from 'passport-jwt'
+import { v4 as uuidv4 } from 'uuid'
 import { InternalFlowiseError } from '../../../errors/internalFlowiseError'
 import { IdentityManager } from '../../../IdentityManager'
 import { Platform } from '../../../Interface'
+import { generateRandomString32 } from '../../../utils/generate.util'
 import { getRunningExpressApp } from '../../../utils/getRunningExpressApp'
 import { OrganizationUserStatus } from '../../database/entities/organization-user.entity'
 import { GeneralRole } from '../../database/entities/role.entity'
@@ -22,7 +24,6 @@ import { WorkspaceUserService } from '../../services/workspace-user.service'
 import { decryptToken, encryptToken, generateSafeCopy } from '../../utils/tempTokenUtils'
 import { getAuthStrategy } from './AuthStrategy'
 import { initializeDBClientAndStore, initializeRedisClientAndStore } from './SessionPersistance'
-import { v4 as uuidv4 } from 'uuid'
 
 const localStrategy = require('passport-local').Strategy
 
@@ -50,9 +51,11 @@ const jwtOptions = {
 }
 
 const _initializePassportMiddleware = async (app: express.Application) => {
+    const sessionSecret = process.env.EXPRESS_SESSION_SECRET || generateRandomString32()
+
     // Configure session middleware
     let options: any = {
-        secret: process.env.EXPRESS_SESSION_SECRET || 'flowise',
+        secret: sessionSecret,
         resave: false,
         saveUninitialized: false,
         cookie: {

diff --git a/packages/server/src/utils/generate.util.ts b/packages/server/src/utils/generate.util.ts
@@ -0,0 +1,5 @@
+import { randomBytes } from 'crypto'
+
+export function generateRandomString32(): string {
+    return randomBytes(32).toString('hex')
+}