How secure Streamlit session states are?

Hello everyone.
I’m creating an authentication webpage for my app using form components and session state. Basically, I created the following block in my app:

if not st.session_state.get('you_are_logged_or_something'):
    _, authenticate_form, _ = st.beta_columns((1, 2, 1))
    with authenticate_form:
        with st.form("authentication_form"):
            username = st.text_input('Your email', key='your_email')
            userpass = st.text_input('Your password', type='password', key='your_password')

            st.form_submit_button("Login", on_click=authenticate)

It’s pretty straightforward: I have two input fields (user and password), both of them text_input, which the result I store in session_state. But when I ran Streamlit debug mode, fill out the form, and click the login button, I can see that the password is stored in plain text, at least in the widget (I don’t know if it’s stored in the same way on session_state):

In fact, I was expecting that the text_input value is stored in that way. But then I got concerned about whether or not an attacker could retrieve this value from the webpage (DOM, Injection, etc.). Basically, I don’t want the user password to be used outside the authentication step, but I was wondering how to secure session_states are for that.

Do you have any recommendations or good practices to follow? I’m aware that this authentication “component” is a workaround, and would be happy to hear about problems that I will face when deploying it to production.

Hi - what you’re seeing reported is data on the server, and in production the password will be passed over https (I hope that’s how you’ll set it up). The session state is also computed on the server. You shouldn’t need to store the password in session state, only the token stating that login was successful.

I used browser inspect to look at network traffic and couldn’t make any sense of the streams of data flowing. So, at the very least, it’s super obfuscated. If I’m wrong, hopefully a Streamlit engineer will advise us.


Hi @asehmi ! Thank you for the reply.
Yeah, I agree that I don’t need to store the password in the state session. Gonna change that.

Let’s wait for some Streamlit engineer clarify about how the data is stored and if an attacker could take advantage of that Maybe this solution I just released will help you.