Hi team,
I noticed that after upgrading from Streamlit 1.56.0 to 1.57.0, the authentication cookie set by st.login() is no longer persistent. It behaves as a session cookie (deleted when the browser is closed) instead of persisting for 30 days as documented.
Steps to reproduce:
1. Deploy a Streamlit app (>=1.57.0) with Google OAuth via st.login(“google”)
2. Log in successfully
3. Close the browser window
4. Reopen the app URL — you’re logged out and see the login screen again
Expected behavior: Auth cookie persists for 30 days (as documented and as it worked in 1.56.0).
Root cause: This appears to be a side effect of the Tornado to Starlette migration in 1.57.0. The new Starlette-based server likely sets the auth cookie without a Max-Age or Expires header, making it a session cookie.
Workaround: Pinning streamlit==1.56.0 restores the correct behavior.
Environment: Deployed on Sevalla (Nixpacks build), Google OAuth provider, Chrome browser. Verified no enterprise policies or browser settings clearing cookies.
Would appreciate this being addressed in a patch release. Happy to provide more details or help test a fix. Thanks
You’re absolutely right: after the migration from Tornado to Starlette in Streamlit 1.57.0, the authentication cookie set by st.login() is now behaving as a session cookie (deleted on browser close), rather than persisting for 30 days as previously documented and expected.