Your credentials are sent directly to DUPR and never stored.
Only your session token is kept in a secure HTTP-only cookie.
Verify for yourself — view the source code