Comments (7)
ottokruse
commented on July 19, 2024
Hi @thertzelle . How sure are you it is not your browser's cache?
from cloudfront-authorization-at-edge.
thertzelle
commented on July 19, 2024
If I visit the page in a new window, and visit the cookies tab, I have an old cookie. It seems like it would be hard to visit the page and it to not have requested the default endpoint and refresh the tokens?
from cloudfront-authorization-at-edge.
ottokruse
commented on July 19, 2024
If I visit the page in a new window, and visit the cookies tab, I have an old cookie.
Yeah, cookies are shared by all tabs. If the cookie is old in the new tab, it will be old in all tabs.
It seems like it would be hard to visit the page and it to not have requested the default endpoint and refresh the tokens?
Yeah, if a refresh token is there that is still valid, the solution of this repo would use it to refresh the tokens. (Which is intended behavior)
If the user clicks "sign-out" explicitly, the cookies are thrown away. If the user doesn't do that, but just closes the browser, the cookies might be thrown away but this depends on:
-
If the cookiesettings you use in your Lambda@Edge-Auth setup include a max-age or expires, then the cookies will remain in your browser until that time
-
If the cookiesettings you use in your Lambda@Edge-Auth setup do not include a max-age or expires, then the cookies are session cookies, that depending on your browser setup get deleted when you close the browser. Many browsers nowadays do not do that, it is a browser setting that users can alter.
Another factor coming into play, is that the refresh token itself has an expiry date, that can be set in the Cognito User Pool config (defaults to 30 days).
from cloudfront-authorization-at-edge.
ottokruse
commented on July 19, 2024
Closing for now, as I do not believe there is an action for this repo.
from cloudfront-authorization-at-edge.
yashsharma04
commented on July 19, 2024
Hi @ottokruse
Quick question: For scenarios, where we logout and we remove the cookies from the browser. But if we copy the id token before and use it to make further request from postman, it would still work.
What would be your recommendation to solve such use cases. (to invalidate the logged out id token since its stateless)
from cloudfront-authorization-at-edge.
ottokruse
commented on July 19, 2024
Best strategy I think is to have short token expiration so this risk becomes low enough to be acceptable.
Otherwise what you could do is call eg Cognito GetUser with the access token and if that fails you know the user is logged out. But it's not ideal to call that on every request (in checkauth lambda) because it adds latency and there is a max rps to it.
from cloudfront-authorization-at-edge.
yashsharma04
commented on July 19, 2024
Having a short token expiration is still flagged by our info-sec team. And making a n/w call as you mentioned adds latency. Any other approach that would be practical enough to implement? @ottokruse
from cloudfront-authorization-at-edge.
Related Issues (20)
- CloudFormation did not receive a response from your Custom Resource HOT 19
- Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”) HOT 2
- Refresh issue after token expires HOT 8
- On signout Required String parameter 'redirect_uri' is not present HOT 5
- Possible Open Redirect (CWE-601) in sample code HOT 2
- nonce cookies are not expired HOT 1
- [Feature request] Support multiple Cognito user pool clients HOT 4
- custom domain is not redirecting to cognito hosted ui HOT 1
- Getting blocked by CORS policy but unable to figure out the source HOT 5
- Node version bump HOT 7
- Custom IDP with Amplify and Auth at Edge HOT 9
- Fail on delete of the stack HOT 3
- Function must be in an Active state error on deploying the solution HOT 7
- Errors from Lambda when destroiyng the stack HOT 2
- Cognito TAGS HOT 1
- How Do I add User Pool attributes to Cookies? HOT 1
- A potential risk in cloudfront-authorization-at-edge which can be used to upload malicious code. HOT 4
- Having the ability to tune logs HOT 1
- Deployment to eu-west-2 fails with error: Encountered a permissions error performing a tagging operation HOT 4
- Missing User-Agent header in Post request to cognito HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cloudfront-authorization-at-edge.