Hello everyone.
I’m creating an authentication webpage for my app using form components and session state. Basically, I created the following block in my app:
if not st.session_state.get('you_are_logged_or_something'):
_, authenticate_form, _ = st.beta_columns((1, 2, 1))
with authenticate_form:
with st.form("authentication_form"):
username = st.text_input('Your email', key='your_email')
userpass = st.text_input('Your password', type='password', key='your_password')
st.form_submit_button("Login", on_click=authenticate)
It’s pretty straightforward: I have two input fields (user and password), both of them text_input
, which the result I store in session_state. But when I ran Streamlit debug mode, fill out the form, and click the login button, I can see that the password is stored in plain text, at least in the widget (I don’t know if it’s stored in the same way on session_state
):
In fact, I was expecting that the text_input
value is stored in that way. But then I got concerned about whether or not an attacker could retrieve this value from the webpage (DOM, Injection, etc.). Basically, I don’t want the user password to be used outside the authentication step, but I was wondering how to secure session_states
are for that.
Do you have any recommendations or good practices to follow? I’m aware that this authentication “component” is a workaround, and would be happy to hear about problems that I will face when deploying it to production.