This change sets an absolute session timeout for the Cognito IdP by changing the value of the refresh token expiration, and adds a section to the README explaining how to customize this value.
Linked Issues to Close
N/A
Approach
When a user signs in, Cognito sends Amplify back a refresh token along with an access token and ID token. When it detects an expired acccess token, Amplify makes calls to renew the session by using the refresh token to fetch another access token. The default expiration of the access token is 60 minutes, and for the refresh token it's 30 days.
Best practice for session management to have an absolute session timeout. This minimizes the time period an attacker can launch session-based attacks. OWASP recommends a range of 4-8 hours for absolute session timeout, which balances usability with security. The only built-in mechanism Cognito gives for controlling session length is by adjusting the expiration of the refresh token. When this token expires, Amplify detects the expired refresh token on the next user action that requires an access token, and the user is logged out and redirected to the login page. Logging in starts a new session with a new refresh token.
Cognito doesn't support rotating refresh tokens (where a new refresh token is sent, and the old one invalidated, with every request to exchange a refresh token for an access token). Rather, the same refresh token is used for each refresh request. Given this, it makes sense to limit the lifetime of that token to mitigate the damage that could be caused by theft of the token.
Cognito does support invalidation of refresh tokens via an API endpoint. Amplify revokes tokens when you call signOut or globalSignOut. So you could theoretically impose a session on the client side by setting a timer and using one of these methods. Reducing the lifetime of the refresh token seems simpler and doesn't add any new client code.
Testing:
I changed the refresh token expiration, started a session, let the session time out, and via the Chrome inspector watched the refresh request fail and trigger a redirect to the login page
Pull Request Creator Checklist
[ ] This PR has an associated issue or issues.
[ ] The associated issue(s) are linked above.
[ ] This PR meets all acceptance criteria for those issues.
[ ] This PR and linked issue(s) are adequately documented
[ ] This PR and linked issues(s) are a complete description of the changeset; an individual or team should be able to understand the issue(s) and changes by reading through this PR and it's links, with no further interaction.
[ ] Someone has been assigned this PR.
[ ] At least one person has been marked as reviewer on this PR.
Pull Request Reviewer/Assignee Checklist
[ ] This PR has an associated issue or issues.
[ ] The associated issue(s) are linked above.
[ ] This PR meets all acceptance criteria for those issues.
[ ] This PR and linked issue(s) are adequately documented
[ ] This PR and linked issues(s) are a complete description of the changeset; an individual or team should be able to understand the issue(s) and changes by reading through this PR and it's links, with no further interaction.
Purpose
This change sets an absolute session timeout for the Cognito IdP by changing the value of the refresh token expiration, and adds a section to the README explaining how to customize this value.
Linked Issues to Close
N/A
Approach
When a user signs in, Cognito sends Amplify back a refresh token along with an access token and ID token. When it detects an expired acccess token, Amplify makes calls to renew the session by using the refresh token to fetch another access token. The default expiration of the access token is 60 minutes, and for the refresh token it's 30 days.
Best practice for session management to have an absolute session timeout. This minimizes the time period an attacker can launch session-based attacks. OWASP recommends a range of 4-8 hours for absolute session timeout, which balances usability with security. The only built-in mechanism Cognito gives for controlling session length is by adjusting the expiration of the refresh token. When this token expires, Amplify detects the expired refresh token on the next user action that requires an access token, and the user is logged out and redirected to the login page. Logging in starts a new session with a new refresh token.
Cognito doesn't support rotating refresh tokens (where a new refresh token is sent, and the old one invalidated, with every request to exchange a refresh token for an access token). Rather, the same refresh token is used for each refresh request. Given this, it makes sense to limit the lifetime of that token to mitigate the damage that could be caused by theft of the token.
Cognito does support invalidation of refresh tokens via an API endpoint. Amplify revokes tokens when you call
signOut
orglobalSignOut
. So you could theoretically impose a session on the client side by setting a timer and using one of these methods. Reducing the lifetime of the refresh token seems simpler and doesn't add any new client code.Learning
Lots of reading AWS Cognito and Amplify docs
Assorted Notes/Considerations
Testing: I changed the refresh token expiration, started a session, let the session time out, and via the Chrome inspector watched the refresh request fail and trigger a redirect to the login page
Pull Request Creator Checklist
Pull Request Reviewer/Assignee Checklist