Invalidate streamlit-authenticator JWT upon logout

Hi,

I’m using streamlit==1.26.0 and streamlit_authenticator==0.2.3.
I’ve noticed that the JWT which saved upon login (as a cookie, which in the default config is called “random_cookie_name”) retains its validity even if the user logs out.
That is, for instance, if the parameters expiry_days: 1, and within this period of time the user logs out, it is still possible to provide the JWT to the application and retrieve data.
This behaviour is not completely sound under a security perspective, and I’m wondering if there is any mean to:

  • Invalidate JWT on user logout or other condition controllable
  • Reduce the JWT validity to less than 1 day (e.g. 1 hour)

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.