By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

What is the point of using the logout endpoint when AWS cognito is stateless?

0

Hi there, https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html documentation says the logout endpoint is used to log the user out. But AWS cognito is stateless so it does not have any session tracking on the server side and every thing is managed on the client. So to logout a user, cannot we just clear the cookie, local storage related to the cognito instead of using the logout endpoint? Regardless of whether we use the hosted UI or not.

Topics
Security, Identity, & Compliance
Tags
Amazon Cognito
Language
English
Manoj
asked 7 months ago221 views
1 Answer
0

Hello,

From the case notes I understand that you have some query regarding Logout endpoint. You wish to know if Cognito is stateless then what is the need of using Logout Endpoint. Also you wish to know, to logout a user can we just clear the cookie, local storage in the browser related to the cognito instead of using the logout endpoint?

ANSWER

Yes Cognito is stateless that means Cognito doesnot stores session information on the server side.

When you use a browser for user authentication, Amazon Cognito stores a cookie named "cognito" in your browser. The cookie is associated with the Amazon Cognito domain that's configured with your user pool. The cookie is valid for 1 hour. When a user tries to sign in again during an active session, Amazon Cognito asks the user if they want to continue their existing session. This allows the user to sign in without providing credentials. If a user chooses the Sign in as example_username button to use an existing session, then the cookie's validity resets to 1 hour.

When a user visits the logout endpoint in their browser, Amazon Cognito clears the session cookie. The user must provide their credentials to sign in again.

When a user signs in with third-party identity providers (IdPs), there's an extra step to perform. If a user signs in using one of the third-party IdPs, then visiting the logout endpoint clears the "cognito" cookie from the browser. However, the IdP can still have an active session. Consider the following information when you're clearing out the user's IdP session:

Amazon Cognito supports the single logout (SLO) feature for Security Assertion Markup Language version 2.0 (SAML 2.0) IdPs with HTTP POST Binding. If your provider accepts HTTP POST Binding on its SLO endpoint, then consider implementing SLO for SAML IdPs. If a user visits the logout endpoint with SLO turned on, then Amazon Cognito sends a signed logout request to the SAML IdP. Then, the SAML IdP clears the IdP session. For social and OpenID Connect (OIDC) IdPs, you must create a custom workflow to clear the IdP session from the browser.

To summarize, when you call the Logout endpoint it will simply clear the cookies for Cognito in the client's browser. Yes, to logout a user you can clear the cookie, local storage related to the cognito instead of using the logout endpoint. But Logout Enpoints also does that for you. So that you dont have to manually delete the cookies.

AWS
Saurav_A
answered 7 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content