I’m creating an authentication webpage for my app using form components and session state. Basically, I created the following block in my app:
if not st.session_state.get('you_are_logged_or_something'): _, authenticate_form, _ = st.beta_columns((1, 2, 1)) with authenticate_form: with st.form("authentication_form"): username = st.text_input('Your email', key='your_email') userpass = st.text_input('Your password', type='password', key='your_password') st.form_submit_button("Login", on_click=authenticate)
It’s pretty straightforward: I have two input fields (user and password), both of them
text_input, which the result I store in session_state. But when I ran Streamlit debug mode, fill out the form, and click the login button, I can see that the password is stored in plain text, at least in the widget (I don’t know if it’s stored in the same way on
In fact, I was expecting that the
text_input value is stored in that way. But then I got concerned about whether or not an attacker could retrieve this value from the webpage (DOM, Injection, etc.). Basically, I don’t want the user password to be used outside the authentication step, but I was wondering how to secure
session_states are for that.
Do you have any recommendations or good practices to follow? I’m aware that this authentication “component” is a workaround, and would be happy to hear about problems that I will face when deploying it to production.