By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to Modify AWSELBAuthSessionCookie to Log Off User

0

I have developed a containerized web server in ECS behind a Cognito authenticated Application Load Balancer. I am in the final stages of development and working on implementing a log off button. The documentation below states to log off a user, the application should modify the authentication session cookies and set the expiry to -1. On the client side, I can see the session cookies, but they are marked as HTTPOnly and can not be modified. I do not see the cookies on the server side and based on the documentation, it does not sound like the cookies are sent to the server. How do I modify the cookies to log out a user or is there another way to log out a user? https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html

Topics
Security, Identity, & Compliance
Tags
Amazon CognitoApplication Load Balancer
Language
English
Austin
asked 2 years ago3614 views
4 Answers
1

You need to invalidate the ALB cookies in your server-side code which resides behind the ALB, not in JavaScript.

  • Request goes into your application through the ALB, to your logout code.
  • Your backend code uses the set-cookie header to return cookies with the same name that the ALB uses (AWSELBAuthSessionCookie-0 up to AWSELBAuthSessionCookie-3) and expiry and max-age with values -1.
  • The same response that sets those cookie headers also needs to send a 302 redirect to the idp logout endpoint.
  • The browser receives the response, removes the ALB cookies from its local cookies storage, and goes to the idp logout endpoint.
yoni
answered a year ago
0

From the information you provided, I understand you need more information related to authentication logout and session timeout for ALB.

When a user that has been authenticated needs to log out, the application should invalidate the session cookie by setting expiry to -1 but also redirect the client to the IdP logout endpoint. This needs to be done by your application.

Make sure the code consists of:

  1. Invalidate the AWSELBAuthSessionCookie-0 and AWSELBAuthSessionCookie-1 cookie by setting expiration time to -1, or just clear both of them.
  2. Redirect the user to idp logout endpoint

You should be able to set the expiry to -1 with set-cookie.

I hope you find this helpful.

Reference:
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html#authentication-logout-timeout https://www.exampleloadbalancer.com/auth_detail.html
https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html

cindy_w
answered 2 years ago
0

Thank you for the answer, Cindy. I don't understand how to set the expiry to -1 if the HTTPOnly flag is set though. That flag prevents the cookie from being modified through JavaScript. Am I missing something? Thanks!

Austin
answered 2 years ago
0

Thanks you both for the answers. I am using Streamlit to deploy a small/medium application in AWS and I do not think this approach works with that framework since most of the server-side code is not directly accessible. I ended up having to move user authentication from the ALB into the application itself to get it working.

Austin
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content