- Neueste
- Die meisten Stimmen
- Die meisten Kommentare
Hi Alan - token based authentication model (like what Cognito is doing) is meant to be stateless and there is no concept of session tracking like in legacy session-based authentication which tracks sessions with cookies. in other words, there is no way to know that user has signed in already without storing this information and doing your own session management solution. In addition to this, token is self-contained and even after sign-out or revoking tokens, they are still valid until expired (since majority of services will verify token without calling the issuer, token will be verified by just checking the signature and expiration).
The short answer is that, if you want to enforce single-session per user then you need to fall-back to session-based authentication and maintain a server-side managed session. One way to do that with Cognito is to store some information that user has an active session (for example in Cognito Post-Auth trigger store some mapping in DynamoDB that user XYZ has an active session that will expire at time ABC, or store this information in Cache layer with expiration period that match token expiration, don't store the token itself or any sensitive data). Then in Pre-Auth trigger you can check if username has an active session and fail the authentication attempt. You need then to think of how to invalidate this session if user sign-out or would like to switch to another device before active session expiry.
Hello @Mahmoud Matouk , As today is this still the same answer?
Relevanter Inhalt
- AWS OFFICIALAktualisiert vor 3 Jahren
- AWS OFFICIALAktualisiert vor einem Jahr
- AWS OFFICIALAktualisiert vor einem Jahr
- AWS OFFICIALAktualisiert vor 2 Jahren