- Newest
- Most votes
- Most comments
In your application, you need to use the Cognito provided JWTs for treating the user as a logged-in user. As long as the JWT's validity period has not reached, do not redirect the user to login again via hosted UI. As mentioned in the other answer by Joe, you can configure the lifetime for the JWT tokens between 5 minutes and 24 hours. The session cookie's validity time is fixed, which is 1 hour and it is not customizable at this moment.
However, in case you do not want to use the JWTs, then unfortunately there is no good solution while using Cognito. Because, Amazon Cognito service is NOT a session-based authentication system, instead it is mainly a token-based auth system. If an user does not visit the Cognito hosted UI for more than an hour, then the session cookie will be invalidated.
Interesting that "Amazon Q" advises that the session is configurable:
Question
How do I configure the AWS Cognito user session duration
Answer
To configure the AWS Cognito user session duration: Sign in to the AWS Management Console and open the Amazon Cognito console at https://console.aws.amazon.com/cognito/home (link) . Choose the user pool for which you want to configure session duration. Under "General Settings", choose "Session". For "Session duration", specify the number of hours for which the user session should remain active after the user signs in. The default is 1 hour. Choose "Save Changes" to apply the updated session duration setting. This allows you to configure how long a user's sign-in session remains active within your Cognito user pool after the user signs in. > Specifying a longer session duration means users do not need to sign in as frequently during their app usage sessions.
The answer provided is wrong as there are no "General Settings" on the user pool. Can you confirm this setting was removed? A one hour long user session is a severe limitation for single-sign-on use of AWS Cognito.
Hello Beckett,
Amazon Cognito User Pools have a customizable time limit for the JSON Web Token (JWT) used for access token. These can be configured from 5 minutes to 24 hours (1 day). It should be noted that when using the Amazon Cognito HostedUI, the session cookie is cached for a minimum of 1 hour and any access token configured for a shorter time would not be honored through the HostedUI.
You can find explicit details in the Amazon Cognito documentation on User Pool Access Tokens JWTs here: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-access-token.html
Relevant content
- asked a year ago
AWS OFFICIALUpdated 3 days ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 5 months ago
Thanks, I suspected as much. Are there any plans to expand the functionality of Cognito to make it work as a session based system or any alternatives within the AWS ecosystem?
@beckett_j Cognito is a token based authentication system only. Session based authentication systems are not scalable, however token based systems are good fit when customers are dealing with large scale systems. AFAIK, there is no session-based authentication service in AWS.
We need much longer session cookie expiration time to code SSO between apps from different domains who use the same Cognito user pool. E.g. if a user is already logged into foo.com and then goes to bar.com for the first time, he should be logged in automatically thanks to the session cookie on Cognito hosted UI domain.
So how to bump Cognito hosted UI session cookie validity? Or is there a simple alternative to achieve what we need?
Just in case, we strongly don't want to figure out https://github.com/awslabs/aws-amplify-identity-broker or build our own sign-in UI from scratch.