I’m using streamlit==1.26.0 and streamlit_authenticator==0.2.3.
I’ve noticed that the JWT which saved upon login (as a cookie, which in the default config is called “random_cookie_name”) retains its validity even if the user logs out.
That is, for instance, if the parameters expiry_days: 1, and within this period of time the user logs out, it is still possible to provide the JWT to the application and retrieve data.
This behaviour is not completely sound under a security perspective, and I’m wondering if there is any mean to:
- Invalidate JWT on user logout or other condition controllable
- Reduce the JWT validity to less than 1 day (e.g. 1 hour)