As others have said, we keep the decrypted key in memory for a short period of time (currently 10 minutes; will be configurable in the future, or can be disabled entirely so you have to enter your password for every operation.). We don’t ever persist this to cookies, session or local storage, etc. If someone steals your computer while you have a session active and the thief is into crypto then you’re in trouble, but otherwise you’re fine.
EDIT: Also worth mentioning that this only happens when your “trading session” (where the decrypted key is in memory) is active. If you refresh the page (causing the trading session to be discarded, and causing you to reauthenticate with your session token) and try to create a stake, you will be prompted to enter your credentials.
In general session token authentication can be thought of as a read-only state. Your signin credentials will be needed to access any writes.
This is part of our design to make the encrypted secret key a little bit harder to access. It’s a little hard to explain succinctly, but basically we have yet another encryption key that is generated on a per-session basis by the server that is gated behind an endpoint requiring your signin credentials. And we mix that key into encrypting anything we store on the client side, as an additional security measure.