-
Notifications
You must be signed in to change notification settings - Fork 224
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Refreshing page does not use cookie to re-authenticate #149
Comments
Dear @yhavin, if you are using Streamlit-Authenticator with multi-page apps, you will have to recreate the authenticator object on each and every page and invoke the login method as shown below:
This is to ensure that when a user hard refreshes the page and the session state variables related to re-authentication are lost, the authenticator object is there to re-initialize them from the cookie saved on the browser. Please let me know if this solves your issues and I will close this issue. |
Thank you, that does solve the problem. However, is there a way to make the login widget unrendered? I'd prefer that if the user navigates to a report page and they are not logged in, for them to see a warning with a button that redirects them to the home page which has the login widget. Currently, however, if I'm calling authenticator.login() on each page, it shows the login widget directly on that page. It's not a bug, it's just a UI preference for me. |
@yhavin by default the login function will always check to see if there is a valid re-authentication cookie available on the browser, if there is it will log in without rendering the login form. However, in the event that a user refers to a subpage without ever having logged in, perhaps you can use the following code to redirect them to the main login page:
|
I have something similar to that already, however there are still issues. Logically, I need to put the When the user is logged in, this is fine, because the login widget doesn't render and the page loads its contents normally. But if the user is not logged in, then the login widget still shows up on the page because I have called So it's a bit of a catch 22. If I check for logged in status before calling Hence my question of whether I can make the login widget unrendered. That way, I can use it to check for re-authentication without it actually showing a login widget. Please let me know if you understand this problem, and if you have a suggestion. |
Gotcha! Sure, will try to fix this in the next release. Thank you for bringing it to my attention. |
Thank you, I really appreciate your responsiveness! It gives me peace of mind in relying on this package for my work. |
@mkhorasani HI, I have a problem here, I have two separate pages: login, webui. Login is the default page that requires authorization to log in. The code logic is as follows:
After the login is successful, enter the webui page, the code is as follows:
The above code can be successfully jumped to the webui page after the first login. But when I refresh on the webui page, the page was switched to the login page. Obviously, the page is lost the login status if refreshed. Another problem was discovered during the test. I successfully logged in as a user and clicked the logout button to switch to the login page. When I refreshed it, it jumped to the webui page again. It means that this situation means that the login status cannot be cleared after logging out. |
See my issue #159 Just code two lines would fix this |
Please, note that both lines are already implemented in the current version of Streamlit-Authenticator. |
In fact this change I see is already in the current version, but there are still the problems mentioned above. |
I just follow the document pip install and get 0.3.2 version , which has not implement these code after fix it , Rresh page works perfect in 0.3.2 So, the current version is not pip install ? but install from github master ? |
I just checked v0.3.2 again, and I can guarantee that your fixes are already implemented. |
I Confirm, the code is there The issue i met is that , i saved authenticator in self.authenticator self.authenticator = stauth.Authenticate( on each page, i only call login use the saved variable on each page, just call self.authenticator.login() So, the correct way is , DO Not Save Authenticator For Future Use, I saved the authenticator , and use it in every page, so i need my fix to make it work |
Hello,
I have a multipage app and am having re-authentication problems when refreshing pages. I have updated to 0.3.2, but this problem occurred before and still remains.
Problem 1: refreshing on same page as authentication occurs
I log in on the
home.py
page (entry point), and that works fine. I can see the cookie gets stored in the browser devtools. If I refresh the page, I can see the st.session_state start off initially blank for a fraction of a second, then populate with theusername
,logout
, andauthentication_status
attributes all set toNULL
. I can see, however, that theinit
attribute contains the cookie key-value pair, so at least I can use that. Should theauthentication_status
andusername
attributes beNULL
? I've been using custom logic that checks if the cookie key-value pair exists insidest.session_state.init
, and if it does, to count the user as "logged in", but it seems like extra work. Intuitively, I'd expect theauthentication_status
andusername
attributes to use the cookie and have proper values.Problem 2: refreshing on another page
After logging in on
home.py
entry point page (and whether I refresh that page or not), if I navigate to another page, sayreport.py
, I can see theauthentication_status
andusername
attributes are correctly set. So I can easily use those to determine authentication status for my application. But if I then refresh while onreport.py
, the session state becomes a completely blank dictionary, not even including the cookie key-value pair. So now, how is my application meant to know if the user is logged in or not? I can see the cookie in the browser devtools, but not inst.session_state.init
, asst.session_state
is empty.What is the recommended way to handle authentication status across multiple pages and taking into account reloads? Reloads are actually very prevalent, especially if someone wants to bookmark a specific page of my application. Whenever they open that bookmark, it is akin to a reload, and the
st.session_state
is empty and my application doesn't know if they're logged in.Thanks in advance!
The text was updated successfully, but these errors were encountered: