Ao usar o AWS re:Post, você concorda com os AWS re:Post Termos de uso
AWS re:Postre:Post

How to Modify AWSELBAuthSessionCookie to Log Off User

0

I have developed a containerized web server in ECS behind a Cognito authenticated Application Load Balancer. I am in the final stages of development and working on implementing a log off button. The documentation below states to log off a user, the application should modify the authentication session cookies and set the expiry to -1. On the client side, I can see the session cookies, but they are marked as HTTPOnly and can not be modified. I do not see the cookies on the server side and based on the documentation, it does not sound like the cookies are sent to the server. How do I modify the cookies to log out a user or is there another way to log out a user? https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html

Tópicos
Segurança, identidade e conformidade
Tags
Amazon CognitoApplication Load Balancer
Idioma
English
Austin
feita há 2 anos3668 visualizações
4 Respostas
1

You need to invalidate the ALB cookies in your server-side code which resides behind the ALB, not in JavaScript.

  • Request goes into your application through the ALB, to your logout code.
  • Your backend code uses the set-cookie header to return cookies with the same name that the ALB uses (AWSELBAuthSessionCookie-0 up to AWSELBAuthSessionCookie-3) and expiry and max-age with values -1.
  • The same response that sets those cookie headers also needs to send a 302 redirect to the idp logout endpoint.
  • The browser receives the response, removes the ALB cookies from its local cookies storage, and goes to the idp logout endpoint.
yoni
respondido há um ano
  • fasihburak
    há 8 meses

    Thanks a lot. That worked!

0

From the information you provided, I understand you need more information related to authentication logout and session timeout for ALB.

When a user that has been authenticated needs to log out, the application should invalidate the session cookie by setting expiry to -1 but also redirect the client to the IdP logout endpoint. This needs to be done by your application.

Make sure the code consists of:

  1. Invalidate the AWSELBAuthSessionCookie-0 and AWSELBAuthSessionCookie-1 cookie by setting expiration time to -1, or just clear both of them.
  2. Redirect the user to idp logout endpoint

You should be able to set the expiry to -1 with set-cookie.

I hope you find this helpful.

Reference:
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html#authentication-logout-timeout https://www.exampleloadbalancer.com/auth_detail.html
https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html

cindy_w
respondido há 2 anos
0

Thank you for the answer, Cindy. I don't understand how to set the expiry to -1 if the HTTPOnly flag is set though. That flag prevents the cookie from being modified through JavaScript. Am I missing something? Thanks!

Austin
respondido há 2 anos
0

Thanks you both for the answers. I am using Streamlit to deploy a small/medium application in AWS and I do not think this approach works with that framework since most of the server-side code is not directly accessible. I ended up having to move user authentication from the ALB into the application itself to get it working.

Austin
respondido há um ano

Você não está conectado. Fazer login para postar uma resposta.

Uma boa resposta responde claramente à pergunta, dá feedback construtivo e incentiva o crescimento profissional de quem perguntou.

Diretrizes para responder a perguntas

Conteúdo relevante