User stays logged in after password is changed

[ibestvina]

I assume this is working as intended, but I'd expect it to work differently. Please close the issue if this is the intended behavior.

I store login info (username and hashed passwords) in the database. I would expect that users who are already logged in, would be logged out automatically after their password is changed (making their cookie hash invalid), but this is not the case.

Here is a simple example of the code to reproduce this:

import streamlit as st
import streamlit_authenticator as stauth

password = "a"
hashed_password = stauth.Hasher([password]).generate()[0]

credentials = {
    "usernames": {
        "test": {
            "name": "Test User",
            "password": hashed_password,
        }
    }
}

authenticator = stauth.Authenticate(
    credentials=credentials,
    cookie_name="st_auth",
    cookie_key="some_signature_key",
    cookie_expiry_days=30,
    auto_hash=False,
)

full_user_name, login_status, username = authenticator.login()

st.write("Status:", login_status)

if login_status:
    authenticator.logout(location="main")

After starting the app, I log in with password a. I then change the password to b in the code and refresh the app in the browser. I would expect the login_status to switch back to False, however it stays True.

[mkhorasani]

I do not store passwords in the re-authentication cookie out of caution, therefore there is no way for the module to know that a password has been changed. The re-authentication cookie only stores the username and cookie expiry date, therefore I don't think there is any way for me to implement this. As a force majeure measure, if for whatever reason you need to force a user to log out, you can simply remove their credentials from the config.yaml file.

[ibestvina]

Thank you, I suspected this might be due to my wrong expectations. Great work btw!

[mkhorasani]

Thank you, I suspected this might be due to my wrong expectations. Great work btw!

You're most welcome!