chore(server): use random UUID for session ID

apps/server/src/routes/csrf_protection.ts

@@ -1,3 +1,4 @@
+import crypto from "crypto";
 import { doubleCsrf } from "csrf-csrf";
 
 import sessionSecret from "../services/session_secret.js";
@@ -5,6 +6,12 @@ import { isElectron } from "../services/utils.js";
 
 export const CSRF_COOKIE_NAME = "trilium-csrf";
 
+// In Electron, API calls go through an IPC bypass (routes/electron.ts) that uses a
+// FakeRequest with a static session ID, while the bootstrap request goes through real
+// Express with a real session. This mismatch causes CSRF validation to always fail.
+// We use a per-instance random identifier so each Electron process still gets unique tokens.
+const electronSessionId = crypto.randomUUID();
+
 const doubleCsrfUtilities = doubleCsrf({
     getSecret: () => sessionSecret,
     cookieOptions: {
@@ -14,11 +21,7 @@ const doubleCsrfUtilities = doubleCsrf({
         httpOnly: !isElectron // set to false for Electron, see https://github.com/TriliumNext/Trilium/pull/966
     },
     cookieName: CSRF_COOKIE_NAME,
-    // In Electron, API calls go through an IPC bypass (routes/electron.ts) that uses a
-    // FakeRequest with a static session ID, while the bootstrap request goes through real
-    // Express with a real session. This mismatch causes CSRF validation to always fail.
-    // Since Electron is a local single-user app, a constant identifier is acceptable here.
-    getSessionIdentifier: (req) => isElectron ? "electron" : req.session.id
+    getSessionIdentifier: (req) => isElectron ? electronSessionId : req.session.id
 });
 
 export const { generateCsrfToken, doubleCsrfProtection } = doubleCsrfUtilities;