Best approach for limiting Amazon Cognito concurrent logins
I have a partner who has implemented Amazon Cognito User Pools, together with Amazon API Gateway and Lambda authoriser, for controlling access to a public-facing serverless application. They have had a security audit, and it has been highlighted that a single user can sign in to the application from multiple devices, using the same credentials via the Cognito hosted UI. From the partner's security policy perspective, for this particular application, it is desirable that only one session can be valid at any given moment in time.
I don't see that Amazon Cognito has a "built-in" mechanism to enforce maximum number of concurrent sessions (in other words, every valid authentication attempt results in a token being issued and being valid until expiry). Therefore, what is the recommended approach for implementing such a requirement with as little additional infrastructure as possible?
One approach seems to be to invoke a global sign out on the client-side to "log out" all existing sessions, but this would rely on the client code enforcing this at login time (something the security team are less comfortable with). Alternatively, could this logic also be enforced in Cognito Lambda Trigger code (post-authentication) so that it is not dependent on client behaviour?
Any common approaches you have seen customers and partners adopt to meet this requirement would be useful to further this conversation.
Many thanks.
- Newest
- Most votes
- Most comments
Hi Alan - token based authentication model (like what Cognito is doing) is meant to be stateless and there is no concept of session tracking like in legacy session-based authentication which tracks sessions with cookies. in other words, there is no way to know that user has signed in already without storing this information and doing your own session management solution. In addition to this, token is self-contained and even after sign-out or revoking tokens, they are still valid until expired (since majority of services will verify token without calling the issuer, token will be verified by just checking the signature and expiration).
The short answer is that, if you want to enforce single-session per user then you need to fall-back to session-based authentication and maintain a server-side managed session. One way to do that with Cognito is to store some information that user has an active session (for example in Cognito Post-Auth trigger store some mapping in DynamoDB that user XYZ has an active session that will expire at time ABC, or store this information in Cache layer with expiration period that match token expiration, don't store the token itself or any sensitive data). Then in Pre-Auth trigger you can check if username has an active session and fail the authentication attempt. You need then to think of how to invalidate this session if user sign-out or would like to switch to another device before active session expiry.
Relevant content
- Accepted Answerasked 3 years ago
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
