Hello everybody,

I recently launch an app and I discover a serious issue that I can’t understand.
I am running my app in cloud run and I have an authentification method that use cookies.

Let’s imagine I just started the app and the first user arrive.
When the first user login, st.session_state get 3 keys. connected, user_id and user_info and the user can use the app as normal.
Now if a second user use the app, it will be connected with the first user credentials !

In my code, just after set_page_config, as the first thing I do in the app, I use the check_authentification function. Inside first thing first, I check if the key connected is in session_state:

def check_authentification():
    if 'connected' in st.session_state and st.session_state["connected"]:
        log("Already log")
        return
    
    log("Not yet log")
    if check_cookies():
        return

    # ... Rest of auth

And when the second user start the app, I only log one “Already log”. So the issue isn’t coming from the cookies.
I can’t see other explaination than ‘connected’ is already in session_state, yet it is the first thing that the app do, so the key shouldn’t exist. The second user seem to share the session_state of the first user! I used different pc, browser and account to test and a streamlit user sended me a screenshoot of him connected to my account.

I saw some peoples getting similar issues with the use of cache. I removed all cache and the problem is still here.
Maybe my issue is from the concurency of my cloud run instance, does it need to be at 1? (Not sure what it is, I’m not a web dev or cloud eng)

Anyone have an explaination ? How to prevent session_state being share?

Session State should be unique to each session. It’s not only unique between computers, but also unique between tabs in the same browser on the same computer. I am most curious what’s happening in the check_cookies call. How is st.session_state.connected getting filled in within your code?

check_cookie is never reach by the second user! That is what is most suprising. Otherwise I would log a “Not yet log”.

def check_cookies():
    token = cookie_manager.get(cookie_name)
    if token is not None:
        token = _token_decode(token)
        if token is not False and token['exp_date'] > datetime.now().timestamp() and 'mongo_id' in token:
            client = init_connection()
            st.session_state["client"] = client
            user = client.usersdb.users.find_one({"_id": ObjectId(token['mongo_id'])}, {"_id": 1, "name": 1, "email": 1, "avatar": 1, "admin": 1, "oauth_id": 1, "user_settings": 1, "stripe_settings": 1, "new_user": 1})

            st.session_state["current_user"] = user
            st.session_state["connected"] = True
            return True
        
    return False

For more infos on the code, I released a component with it. I use a slightly different version with some function for my mongo database.

Ok, I found it was cookies. I close this post as it isn’t the real issue.
I will try to fix it myself and open a new post if needed.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.