diff --git a/.env.example b/.env.example
index 86711df..386063b 100644
--- a/.env.example
+++ b/.env.example
@@ -15,8 +15,11 @@ ARA_DATABASE_PASSWORD=arasecret
 # ------------------------------------------------------------
 # ARA core
 # ------------------------------------------------------------
-# IMPORTANT: replace with a long random string in production
-ARA_SECRET_KEY=changeme_use_a_long_random_string
+# REQUIRED: generate with:
+#   python3 -c "import secrets; print(secrets.token_hex(50))"
+# Without this, a new random key is generated on every container
+# start — invalidating Django sessions and ARA's signed cookies.
+ARA_SECRET_KEY=
 
 # Timezone — controls BOTH crond scheduling AND ARA display times.
 # Use a tz database name: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
diff --git a/README.md b/README.md
index 3199bb2..51546b3 100644
--- a/README.md
+++ b/README.md
@@ -37,7 +37,7 @@ Full reference: <https://ara.readthedocs.io/en/latest/api-configuration.html>
 | Variable | Default | Description |
 |---|---|---|
 | `ARA_BASE_DIR` | `/opt/ara` | Data & config directory |
-| `ARA_SECRET_KEY` | *(random)* | Django secret key — **set a stable value in production** |
+| `ARA_SECRET_KEY` | *(random — **must be set**)* | Django secret key. If unset, a new key is generated every restart, invalidating sessions. Generate with: `python3 -c "import secrets; print(secrets.token_hex(50))"` |
 | `ARA_ALLOWED_HOSTS` | `["127.0.0.1","localhost","::1"]` | Hosts the server will respond to |
 | `TZ` | `UTC` | System timezone — controls **when crond fires** |
 | `ARA_TIME_ZONE` | same as `TZ` | Timezone for ARA to store/display results — keep in sync with `TZ` |
diff --git a/docker-compose.yml b/docker-compose.yml
index c6108c4..417663b 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -28,14 +28,15 @@ services:
         condition: service_healthy
     ports:
       - "${ARA_PORT:-8000}:${ARA_PORT:-8000}"
-    volumes:
-      - ara_data:/opt/ara
     environment:
       # -----------------------------------------------------------------------
       # Core
       # -----------------------------------------------------------------------
       ARA_BASE_DIR:    /opt/ara
-      ARA_SECRET_KEY:  ${ARA_SECRET_KEY:-changeme_use_a_long_random_string}
+      # SECRET_KEY must be set to a stable random value — if left unset a new
+      # key is generated on every container start, invalidating Django sessions.
+      # Generate one with: python3 -c "import secrets; print(secrets.token_hex(50))"
+      ARA_SECRET_KEY:  ${ARA_SECRET_KEY:?ARA_SECRET_KEY must be set in .env}
       ARA_ALLOWED_HOSTS: ${ARA_ALLOWED_HOSTS:-["*"]}
       ARA_TIME_ZONE:   ${TZ:-UTC}
       ARA_LOG_LEVEL:   ${ARA_LOG_LEVEL:-INFO}
@@ -74,4 +75,3 @@ services:
 
 volumes:
   db_data:
-  ara_data: