Different user incorrectly shared st.session_state;

Using Streamlit
1

There is a question about session_state sometimes different users will have a shared login state;

My version of streamlit is 1.30
My python version is 3.11.3

I have encountered an amazing problem;
When different users access the streamlit app, the streamlit app mistakenly recognizes these people as the same app and completely shares their login status (including username);
When one user logs in, all users are logged into that user’s account when they refresh; when any user logs out, all users log out …
This is an incomprehensible problem; because it doesn’t match the design logic of streamlit;

And the problem doesn’t behave the same in my local environment as it does in his; everything works fine in my case; the problem appears on my friend’s computer;

I understand that for streamlit, page refresh/creating a new tab, etc., even for the same user, the session_id and socket connection key will be different for each page visit, and have a different st.session_state; am I understanding correctly?
I have a screenshot here where the socket key and session_id are indeed different in different browsers, but there is a strange sharing issue with st.session_state; I’m not sure if this screenshot is indicative of the problem. I’m more than happy to provide anything if I need to;

Image
Image2402×1066 197 KB

I’ll provide a simple case here: the method to get the websocket_key and ctx.session_id is from this thread

import streamlit as st
from streamlit.runtime.scriptrunner import get_script_run_ctx
from streamlit.web.server.websocket_headers import _get_websocket_headers
headers = _get_websocket_headers()
session_id = headers.get("Sec-Websocket-Key")

ctx = get_script_run_ctx()

st.subheader('ctx.session_id')
st.write(ctx.session_id)
st.subheader('st.session_state')
st.write(st.session_state)
st.subheader('websocket_header_session_id')
st.write(session_id)
if st.button('Flush cache'):
    st.rerun()

if st.button('Login'):
    st.session_state['session_id'] = ctx.session_id
    st.session_state['logged_in'] = True
    st.rerun()
  
if st.button('Logout'):
    st.session_state.clear()
    st.rerun()
2

We have found the reason; because we had incorrectly put in the code

st.session_state = {};

This action turns a st.session_state object into a regular dictionary; while it can still be written to and read from, it no longer has the ability to assign sessions to different users.

The error case in the schematic is a reproduction of a problem that another developer reproduced when manually changing the code; the problem is not the fault of st.session_state;

I will close this issue; thanks to the community;

1 Like
3

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.