- Neueste
- Die meisten Stimmen
- Die meisten Kommentare
You need to invalidate the ALB cookies in your server-side code which resides behind the ALB, not in JavaScript.
- Request goes into your application through the ALB, to your logout code.
- Your backend code uses the set-cookie header to return cookies with the same name that the ALB uses (AWSELBAuthSessionCookie-0 up to AWSELBAuthSessionCookie-3) and expiry and max-age with values -1.
- The same response that sets those cookie headers also needs to send a 302 redirect to the idp logout endpoint.
- The browser receives the response, removes the ALB cookies from its local cookies storage, and goes to the idp logout endpoint.
From the information you provided, I understand you need more information related to authentication logout and session timeout for ALB.
When a user that has been authenticated needs to log out, the application should invalidate the session cookie by setting expiry to -1 but also redirect the client to the IdP logout endpoint. This needs to be done by your application.
Make sure the code consists of:
- Invalidate the AWSELBAuthSessionCookie-0 and AWSELBAuthSessionCookie-1 cookie by setting expiration time to -1, or just clear both of them.
- Redirect the user to idp logout endpoint
You should be able to set the expiry to -1 with set-cookie.
I hope you find this helpful.
Reference:
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html#authentication-logout-timeout
https://www.exampleloadbalancer.com/auth_detail.html
https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html
Thank you for the answer, Cindy. I don't understand how to set the expiry to -1 if the HTTPOnly flag is set though. That flag prevents the cookie from being modified through JavaScript. Am I missing something? Thanks!
Thanks you both for the answers. I am using Streamlit to deploy a small/medium application in AWS and I do not think this approach works with that framework since most of the server-side code is not directly accessible. I ended up having to move user authentication from the ALB into the application itself to get it working.
Relevanter Inhalt
- AWS OFFICIALAktualisiert vor einem Jahr
- AWS OFFICIALAktualisiert vor einem Jahr
- AWS OFFICIALAktualisiert vor 2 Jahren
Thanks a lot. That worked!