User authentication

exactly, thanks. unfortunately, it seems i can’t edit my previous post anymore, but thanks for clearing that up.

The workaround isn’t needed anymore, however, as newer versions of streamlit do support a password field: st.text_input("Password:", value="", type="password")


You can also put auth in front of the application rather than inside it. For example, using oauth for login with nginx

1 Like

In case this helps anyone - this was super helpful:

1 Like

I have this below code to do the minmal user authentication. This is based on the SessionState hack here. Is there a better approach to achieve the below functionality

from SessionState import get

session_state = get(password='')

if session_state.password != 'pwd123':
    pwd_placeholder = st.sidebar.empty()
    pwd = pwd_placeholder.text_input("Password:", value="", type="password")
    session_state.password = pwd
    if session_state.password == 'pwd123':
        st.error("the password you entered is incorrect")

The approach above by @nth-attempt worked quite well for me, thanks!

Minor suggestion: instead of

    st.error("the password you entered is incorrect")

I would do elif session_state.password != '', so that the error doesn’t show up when the password is blank!


thanks for sharing, this works well

I did a simple test and oauth2-proxy seems to be a interesting option!
It’s a simple oauth proxy, therefore I could protect my streamlit application behind a google-login page.

Please be aware that oauth is not a trivial flow so, consider wisely all your requirements (i.e. logout, security, etc) :slight_smile:

Simple demo:


Hi and thx for the suggestions! :slight_smile:

I have the following error:
ModuleNotFoundError: No module named 'SessionState'

I tried to install various libraries but the error is still there.

Any idea anyone?


Hi Charly,

You need the SessionState gist. I.e. put the file from here in your project.

There are are different versions of the SessionState gist out there, but it looks like this one is recent. See e.g. this thread for some additional inspiration.

Best regards,


I’m trying to use this solution. But the following happens when 2 users use the app at the same time. Example:
User A inputs his password (let’s say ‘pwd_A’) through ‘pwd = st.text_input(…)’ and I save it using session_state.password = pwd.
Then another user (different device) comes and input his password (let’s say pwd_B).
What happens is that for BOTH sessions, now session_state.password is pwd_B (somehow user 2 overwrote session_state.password for user 1).
Can anybody help please?

1 Like



were you able to resolve the problem? I’m encountering the same and it would be awesome to have a solution for that.


Could you post the code that is causing this? Functionally, the session_state should be unique to each user.

1 Like

Sorry for the super late response, I’ll create a minimal example later today.

1 Like

@mibaumgartner maybe this helps?
Two people on same session state

Hi @Juan,

yes, that solved the problem :smiley: Thanks for all your work @theimposingdwarf @Juan :slight_smile:


1 Like

Another very safe alternative is to host the streamlit app on AWS,
and use a Load Balancer authentication mechanism to protect access to the server.
This doesn’t require you to implement any login in your code, and you can even implement OAuth flows to login using your google account.
Checkout these guides;

1 Like

TL;DR of some answers above is to deploy an identity-aware proxy in front of your app, that would solve several issues:

  • authentication - by integrating with your authentication provider (i.e. Google, Microsoft, Okta, Auth0)
  • authorization - which users are allowed
  • application fire-walling - as no parts of your app are accessible until user passes authentication and authorization

there are open source, on-premise and cloud-managed solutions, depending on your deployment strategy.

i.e. check out this example

Could you share the codes? Thanks!

Check out this repo for an implementation of users using Docker, Nginx, and Streamlit. Scroll down the README until you get to the section on Users, read for more detail.

TBD on security. I think it’s secure, but I’m not doing anything important with this code (tracking personal calories) so I am willing to take the risk of waiting and seeing what busts I find. But if smarter parties than myself wish to pry, the README should take ~5mins to figure out how I did this.

session_id = ReportThread.get_report_ctx().session_id
AttributeError: ‘NoneType’ object has no attribute ‘session_id’

Why I am getting None type object ReportThread

1 Like