How to set the expiration time of the authentication cookie to -1

Using Streamlit
1

Summary

I built Streamlit app consists of a browser, AWS ALB, Streamlit App, and resource server in that order.
To authorize the requests at the resource server, I configured AWS ALB authentication.
But I couldn’t implement logout function.
The AWS document says, “When an application needs to log out an authenticated user, it should set the expiration time of the authentication session cookie to -1 and redirect the client to the IdP logout endpoint (if the IdP supports one).”

Steps to reproduce

I implemented logout button linking to the IdP(Auth0) logout endpoint and it works well.
But when I access to the app again after logout, I can access the app without login. I guess it is because AWS ALB is still having the authentication session between my browser.
That’s why the AWS documents says, “it should set the expiration time of the authentication session cookie to -1”.
I tried to get the authentication session using _get_websocket_headers like below, but I couldn’t.

Code snippet:

import streamlit as st
from streamlit.web.server.websocket_headers import _get_websocket_headers

headers = _get_websocket_headers()
st.write(headers)

Expected behavior:

I think I can get the authentication session at the streamlit app as well as the browser developer tool can get.
but the _get_websocket_headers of the app could get “AWSALBAuthNonce”,
on the other hand, the browser could get two cookies, “AWSALBAuthNonce” and “AWSELBAuthSessionCookie-0”.
AWSELBAuthSessionCookie-0 is just what I want to get.

Debug info

  • Streamlit version: 1.23.1
  • Python version: 3.8.10
  • Browser version: Google Chrome 114.0.5735.199

Requirements file

streamlit
extra-streamlit-components

I would appreciate it if someone could help me.

1 Like
2

Hi @Shoyu, and welcome to our community!

Your issue seems to involve invalidating a session cookie (AWSELBAuthSessionCookie-0) set by AWS for user logout in your Streamlit app.

I think you should follow AWS’s guidelines, as the management of these session cookies is to do with AWS, not Streamlit.

Best,
Charly

3

Hi, @Charly_Wargnier . Thank you for your reply.

Let me ask an additional question to clarify the problem.
When I built the same architecture application using python flask instead of Streamlit, I implemented logout method with setting the authentication session expiration time like below.

from flask import Flask, render_template, request, redirect, url_for, session, make_response

@app.route("/logout")
def logout():
    logout_endpoint = "xxx"
    response = make_response(redirect(logout_endpoint))
    response.set_cookie('AWSELBAuthSessionCookie-0', max_age=-1)
    return response

Can’t Streamlit do the same because of the Streamlit design concept issue?

Regards,
Shoyu

4

You’re welcome!

No, Streamlit does not offer this level of access to HTTP response objects.

You won’t be able to directly replicate the Flask behavior mentioned above in Streamlit due to the difference in technical implementation.

I hope that clarifies.

Thanks,
Charly

1 Like
5

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.