[Bug] Cookie authentication not persisting on hard refresh (F5) with multipage app

[lobsteinda]

Streamlit Version

1.50.0

Streamlit Authenticator Version

0.4.2

Environment

OS: Linux (Arch Linux, kernel 6.16.10-arch1-1) ; Python: 3.12.9 ; Browser: Chrome

What happened?

When using streamlit-authenticator with the conditional navigation pattern (recommended in Streamlit docs), authentication cookies are not being read on hard refresh (F5), forcing users to re-login each time they refresh the page.

Current behavior:

1. User logs in successfully → cookie is set (visible in browser DevTools)
2. User navigates between pages → stays logged in
3. User presses F5 (hard refresh) → authentication state is lost, redirected to login page

The cookie persists in the browser, but the authenticator doesn't seem to read it on page reload, even though we call authenticator.login(location="unrendered") before checking authentication status.

What did you expect to happen?

After logging in, the 30-day cookie should keep the user authenticated across hard refreshes (F5), similar to how it works with soft navigation between pages.

Steps to reproduce

Steps to reproduce

Minimal setup:

1. Create config.yaml:

credentials:
  usernames:
    admin:
      name: admin
      password: $2b$12$hashed_password_here

cookie:
  expiry_days: 30
  key: your_secret_key
  name: streamlit_auth_cookie

2. Create app.py:

import streamlit as st
import streamlit_authenticator as stauth
import yaml
from yaml.loader import SafeLoader

st.set_page_config(page_title="Auth Test", layout="wide")

# Load config
with open("config.yaml") as file:
    config = yaml.load(file, Loader=SafeLoader)

# Create authenticator (cache in session state to avoid duplicate key errors)
if "authenticator" not in st.session_state:
    st.session_state.authenticator = stauth.Authenticate(
        config["credentials"],
        config["cookie"]["name"],
        config["cookie"]["key"],
        config["cookie"]["expiry_days"],
        auto_hash=False,
    )

authenticator = st.session_state.authenticator

# Check for cookie on page load
try:
    authenticator.login(location="unrendered")
except Exception:
    pass

authenticated = st.session_state.get("authentication_status", False)

# Conditional navigation
if authenticated:
    st.title("✅ Logged In")
    st.json({
        "authenticated": st.session_state.get("authentication_status"),
        "username": st.session_state.get("username"),
    })
    authenticator.logout(button_name="Logout")
else:
    st.title("🔒 Login Required")
    authenticator.login(location="main")

3. Run app:

streamlit run app.py

4. Test cookie:

1. Log in with valid credentials
2. Open Chrome DevTools (F12) → Application → Cookies → localhost:8501
3. Expected: See streamlit_auth_cookie with JWT value
4. Actual: Only _streamlit_xsrf cookie exists, NO streamlit_auth_cookie
5. Session state shows authenticated: true, but no cookie created
6. Press F5 → Forced to log in again (no cookie to persist auth)

[Tomisall]

I have been seeing the same issue with the same setup.