Is the Cognito hosted UI browser session length configurable?

1

After authenticating against the Cognito hosted UI, it appears the session cookie expires after an hour and if the user visits the hosted UI again after an hour they will be required to re-enter their credentials. Is this correct and if so, is there any way to extend this?

I am interested in using Cognito as a mechanism to provide SSO between 2 applications and would like the following scenario to be possible:

  • user logs into application A using the hosted UI
  • 3 hours later the same user opens application B and choose SSO as a login option and is directed to the hosted UI again
  • user does not have to re-enter their credentials

Thanks.

asked a year ago1023 views
3 Answers
1
Accepted Answer

In your application, you need to use the Cognito provided JWTs for treating the user as a logged-in user. As long as the JWT's validity period has not reached, do not redirect the user to login again via hosted UI. As mentioned in the other answer by Joe, you can configure the lifetime for the JWT tokens between 5 minutes and 24 hours. The session cookie's validity time is fixed, which is 1 hour and it is not customizable at this moment.

However, in case you do not want to use the JWTs, then unfortunately there is no good solution while using Cognito. Because, Amazon Cognito service is NOT a session-based authentication system, instead it is mainly a token-based auth system. If an user does not visit the Cognito hosted UI for more than an hour, then the session cookie will be invalidated.

AWS
SUPPORT ENGINEER
Tarit_G
answered a year ago
profile picture
EXPERT
reviewed a year ago
  • Thanks, I suspected as much. Are there any plans to expand the functionality of Cognito to make it work as a session based system or any alternatives within the AWS ecosystem?

  • @beckett_j Cognito is a token based authentication system only. Session based authentication systems are not scalable, however token based systems are good fit when customers are dealing with large scale systems. AFAIK, there is no session-based authentication service in AWS.

  • We need much longer session cookie expiration time to code SSO between apps from different domains who use the same Cognito user pool. E.g. if a user is already logged into foo.com and then goes to bar.com for the first time, he should be logged in automatically thanks to the session cookie on Cognito hosted UI domain.

    So how to bump Cognito hosted UI session cookie validity? Or is there a simple alternative to achieve what we need?

    Just in case, we strongly don't want to figure out https://github.com/awslabs/aws-amplify-identity-broker or build our own sign-in UI from scratch.

1

Interesting that "Amazon Q" advises that the session is configurable:

Question

How do I configure the AWS Cognito user session duration

Answer

To configure the AWS Cognito user session duration: Sign in to the AWS Management Console and open the Amazon Cognito console at https://console.aws.amazon.com/cognito/home (link) . Choose the user pool for which you want to configure session duration. Under "General Settings", choose "Session". For "Session duration", specify the number of hours for which the user session should remain active after the user signs in. The default is 1 hour. Choose "Save Changes" to apply the updated session duration setting. This allows you to configure how long a user's sign-in session remains active within your Cognito user pool after the user signs in. > Specifying a longer session duration means users do not need to sign in as frequently during their app usage sessions.

The answer provided is wrong as there are no "General Settings" on the user pool. Can you confirm this setting was removed? A one hour long user session is a severe limitation for single-sign-on use of AWS Cognito.

answered 7 months ago
-2

Hello Beckett,

Amazon Cognito User Pools have a customizable time limit for the JSON Web Token (JWT) used for access token. These can be configured from 5 minutes to 24 hours (1 day). It should be noted that when using the Amazon Cognito HostedUI, the session cookie is cached for a minimum of 1 hour and any access token configured for a shorter time would not be honored through the HostedUI.

You can find explicit details in the Amazon Cognito documentation on User Pool Access Tokens JWTs here: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-access-token.html

AWS
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions