How secure Streamlit session states are?

paulo.zip · August 18, 2021, 3:15pm

Hello everyone.
I’m creating an authentication webpage for my app using form components and session state. Basically, I created the following block in my app:

if not st.session_state.get('you_are_logged_or_something'):
    _, authenticate_form, _ = st.beta_columns((1, 2, 1))
    with authenticate_form:
        with st.form("authentication_form"):
            username = st.text_input('Your email', key='your_email')
            userpass = st.text_input('Your password', type='password', key='your_password')

            st.form_submit_button("Login", on_click=authenticate)

It’s pretty straightforward: I have two input fields (user and password), both of them text_input, which the result I store in session_state. But when I ran Streamlit debug mode, fill out the form, and click the login button, I can see that the password is stored in plain text, at least in the widget (I don’t know if it’s stored in the same way on session_state):

In fact, I was expecting that the text_input value is stored in that way. But then I got concerned about whether or not an attacker could retrieve this value from the webpage (DOM, Injection, etc.). Basically, I don’t want the user password to be used outside the authentication step, but I was wondering how to secure session_states are for that.

Do you have any recommendations or good practices to follow? I’m aware that this authentication “component” is a workaround, and would be happy to hear about problems that I will face when deploying it to production.

asehmi · August 24, 2021, 12:48pm

Hi - what you’re seeing reported is data on the server, and in production the password will be passed over https (I hope that’s how you’ll set it up). The session state is also computed on the server. You shouldn’t need to store the password in session state, only the token stating that login was successful.

I used browser inspect to look at network traffic and couldn’t make any sense of the streams of data flowing. So, at the very least, it’s super obfuscated. If I’m wrong, hopefully a Streamlit engineer will advise us.

HTH,
Arvindra

paulo.zip · August 26, 2021, 12:01pm

Hi @asehmi ! Thank you for the reply.
Yeah, I agree that I don’t need to store the password in the state session. Gonna change that.

Let’s wait for some Streamlit engineer clarify about how the data is stored and if an attacker could take advantage of that

asehmi · August 26, 2021, 1:54pm

@paulo.zip Maybe this solution I just released will help you.

Topic		Replies	Views
Hey i have a serious issue about storing things in the session state 🚀 Deployment	11	2546	January 25, 2024
Streamlit Session State - Deleted when switch tabs 🎈 Using Streamlit session-state	4	1880	June 3, 2023
Streamlit login and mutipages 🎈 Using Streamlit st-pages	10	474	February 12, 2024
How to show/hide html elements in streamlit? 🎈 Using Streamlit cache	4	9645	January 12, 2022
Store data across multiple sessions ☁️ Community Cloud cache , session-state , streamlit-cloud	4	1187	February 17, 2024

How secure Streamlit session states are?

Related Topics

Hello there 👋🏻

Cookie settings

Strictly necessary cookies

Performance cookies

Functional cookies

Targeting cookies