0

I am using ReactJS as my front end, with a python flask API backend. I have one hole in my application as it stands - when my users close out of the browser, they are not logged out (unless the Cognito refresh token expires).

However, I have read that the refresh token should not expire in a short period of time, and on Cognito, it has a minimum of 60 minutes.

I also have tried and disliked the window onUnload since (A) it only works on the first window/tab you open for the application and (B) reloads also trigger the onUnload.

I am currently considering my option to be on my backend, ie marking the last time I heard from the user and logging them out after 15 minutes if I have not heard an API call for data. However, this seems to bring its own issues (ie not every user will be refreshing the page and looking for data in the 15 minute window, but I could solve that by the onActive (I have an idle timer) whenever the user makes an action, I ping my api to tell it to reset my timer). The other main issue is I don't know how to remotely log someone out of their session in cognito without havign access to their username and passcode which feels like a security issue.

Any and all help would be appreciated

Christina Stebbins
  • 380
  • 3
  • 14
  • If you can get Cognito to work with cookies then it's pretty simple to clear cookies when the window is closed [by leaving the expiration blank](https://stackoverflow.com/questions/1783302/clear-cookies-on-browser-close). Otherwise keeping the timeout low (like 15 minutes) and use `setInterval` to refresh the token every 10-15 minutes is a pretty good approach. – Henry Woody Jan 06 '22 at 18:47
  • As far as remotely logging someone out of their session: I believe that's part of the deal with JWTs, they're valid until they expire no matter what. Part of the benefit of JWTs is that you don't need to check a database for auth purposes anytime someone hits your API, but it also means you can't modify a token after it's been sent out. You can however add a database table that contains blacklisted JWTs if you want to remotely end someone's session, but I'm not sure if that'd work with Cognito (depending on your setup). – Henry Woody Jan 06 '22 at 18:50
  • I am currently using sessions for Cognito, is the switch to cookies difficult? Would it change any of the code I already have in place for my session work? – Christina Stebbins Jan 06 '22 at 18:51
  • Hey, Henry! I have no issues with my JWT - I have set my user's JWT to be valid for 5 minutes. The issue I am having is how to log my user out after x amount of time after they closed the web application and without forcing users to re authenticate every time the refresh token expires I don't see a way to refresh the refresh token without forcing the user to log in again, nor how to revoke the refresh token from a user if my API has not been hit in a while. – Christina Stebbins Jan 06 '22 at 18:54
  • Haven't found many resources on using cookies with Cognito online. I think the approach is a bit of a hack (not terrible though), you just make the cookie value the JWT then on the client get the JWT from cookies, rather than localStorage or wherever. On second thought, a better approach might just be to store the JWT in [sessionStorage](https://developer.mozilla.org/en-US/docs/Web/API/Window/sessionStorage) (which is cleared when the window closes). Token would still be valid (and the user could grab it manually) but for normal users they'll log out when the window closes. – Henry Woody Jan 06 '22 at 18:56
  • @HenryWoody As long as the refreshtoken does not expire, the current accesstoken will always be refreshed, regardless of how long it is valid ... – derpirscher Jan 06 '22 at 18:57
  • There are only two ways to log out a user from cognito: Either you do a global signout, which invalidates *all* refreshtokens of all sessions, or you do a local signout, which only invalidates the refreshtoken of the current session. Both a [global signout](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUserGlobalSignOut.html) and the [revocation](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RevokeToken.html) of a specific token can be issued from your backend if you have the necessary information – derpirscher Jan 06 '22 at 19:09
  • @derpirscher The question then is - is it safe to send the refresh token to my backend on user sign in in the payload, or will that be dangerous (ie more steal-able than just in my local). Or is there another way to access user refresh tokens? – Christina Stebbins Jan 06 '22 at 19:21
  • Well, that depends on how secure your backend is. If course, information stored in more than one point has to be protected in more than one point ... Furthermore you must consider, what happens when a user logs in from two different devices. Will you automatically log out the older device? Will you store both tokens? – derpirscher Jan 07 '22 at 13:29
  • Good point. As of now, we do now allow devices to be remembered, so doing a global signout for that user is workable (the data we have is HIPAA protected). I think the current strategy is to global signout if the backend hasn't heard from the front end in x amount of time (and having the front end send pings when the user does an action) Thank yall for your help in thinking through this! – Christina Stebbins Jan 07 '22 at 15:19

0 Answers0