Inquiry Regarding Persistent Login Issue

[3togo]

I am writing to inquire about an authentication issue that we have observed in our Streamlit application. Specifically, we have noticed that once User A logs into the system, other individuals are able to access and browse the application in the name of User A, regardless of the computer or device they are using. However, once User A logs out, other users are then required to log in before accessing the application.

We are seeking clarification on the root cause of this behavior. It seems counterintuitive that a user's session would persist across different devices and computers without any form of authentication or session token validation. This poses a significant security risk as it allows unauthorized access to potentially sensitive information.

Here are a few key points that we would like to understand:

How is the session management implemented in Streamlit? Are there any known limitations or vulnerabilities that could explain this behavior?
Are there any specific configuration settings or code changes that we need to make to ensure that sessions are properly isolated and require re-authentication for each user on each device?
Are there any best practices or recommendations that you can provide to strengthen the authentication and session management in our Streamlit application?

We appreciate your assistance in resolving this issue and ensuring the security of our application. Thank you for your time and consideration.

[mkhorasani]

Dear @3togo, I am unable to recreate such a situation when hosting locally or on the cloud. Can you please let me know where you're hosting your application? You can use this sample application to verify that such a situation doesn't happen.

[mkhorasani]

Also can you please share your source code for me to test?