How to set session token expiry timeout?

[sandeshakya]

Which Category is your question related to? Authentication session What AWS Services are you utilizing? S3, Cognito Provide additional details e.g. code snippets Hello, I'm working on a ReactJS project where I'm using Amplify for signup/signin, and user information is stored in cognito. I'm trying to set the timeout for a session token to be ~1 hour. From my understanding, the timeout can be set in User Pools->App clients, but I can only go as low as 1 day. Is there a way to get the user to have to sign in again if they haven't visited the site for 1 hour?

[joahg]

I am also trying to find this. no luck thus far.

[powerful23]

@sandeshakya currently there is no way to set an expiry timeout for tokens in Amplify. The workaround is to set a timer or something in your app and do globalSignOut to revoke the tokens when the time's up. Doc of globalSignOut: https://aws-amplify.github.io/docs/js/authentication#sign-out

I will mark this as feature request.

[powerful23]

Related to #1972

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[hashx101]

I also encounter the same situation. It would be a lot more convenient if the cognito token expiry could support at an hourly scale (min. 1 hr ).

[dorsegal]

+1

[brubom]

+1 It becomes a pain when we try to test how our app handle the token expiration

[llinq]

+1

[diego-palmeira]

+1

[RokoDeveloper2]

+1

[axelra82]

+1

[dongerardor]

+1

[ErikOwen]

+1

[ashveen]

+1

[michaelaplas]

+1

[webdevog]

+1

[forgivegod]

+1

[ghost]

+1

[tuanardouin]

+1

[ionutcirja]

Is there any news about this feature?

[Taelkir]

Looks like refresh tokens can now be set to expire after just 60 minutes. This can be set in User Pools->General settings->App clients-> Show details in the Cognito console. I think this change was announced in August 2020, according to this post: https://aws.amazon.com/about-aws/whats-new/2020/08/amazon-cognito-user-pools-supports-customization-of-token-expiration/

[skworden]

https://aws.amazon.com/about-aws/whats-new/2020/08/amazon-cognito-user-pools-supports-customization-of-token-expiration/

Does anyone know how to set the expiration time?

[t829702]

@sandeshakya currently there is no way to set an expiry timeout for tokens in Amplify. The workaround is to set a timer or something in your app and do globalSignOut to revoke the tokens when the time's up. Doc of globalSignOut: https://aws-amplify.github.io/docs/js/authentication#sign-out

this timer doesn't work if user closed the browser page; for example if I want to set the cookie to timeout after 3 hours inactivity, the user might have closed the browser page, but if within 3 hours user comes back open the page again, let the cookie session extend by 3 more hours; if user closed the page, comes back after 3 hours, should let the cookie expire and require user to login again

[skworden]

this timer doesn't work if user closed the browser page; for example if I want to set the cookie to timeout after 3 hours inactivity, the user might have closed the browser page, but if within 3 hours user comes back open the page again, let the cookie session extend by 3 more hours; if user closed the page, comes back after 3 hours, should let the cookie expire and require user to login again

This is expected and how cookies work. Cookies stay in the browser until a user request to delete them, they expire, or an system that has access deletes them.

The timer works, and you must account for the scenario you are describing yourself. Traditionally, you also set the dialog's expiration timer when you check for auth on every page load.

You cannot directly read a cookie's expiration time. So, you'd need to track the session cookie expiration in local storage or another cookie so you can retrieve the expiration time when the user returns to your site. When you refreshed the user's session, you'd also set the ladder value. However, since Cognito doesn't allow for HTTP-only cookies, you can access the session expiration by decoding its JWT stored in the Cognito cookie.

Alternatively, when a user returns to your site, you could check if they are authenticated; if not, force login. If a user is interacting with your site, they will never see a dialog. I personally only would put a dialog timer if the user session is short-lived.

[fdx-sajangurung]

With the user pool now supporting user token expiration, I'm curious to understand how it works with SMS_MFA. For example, for a userpool configured with 60min refresh token expiry and a user has SMS_MFA enabled and have configured to remember them on a device, does this still revoke their token and they have to login again?

[axelra82]

While looking in to different ways of handling amplify Cognito generated tokens I came across this issue. I've read some of the posts here and felt like I should mention:

1. A working javascript solution for handling "token invalidation" (sign out) on user closing tab/window

   window.addEventListener("beforeunload", (event) => {
   // prevent default browser popup "You are about to leave page, are you sure"
   event.preventDefault();
   
   // execute sign out
   await Auth.signOut();
   
   // in our use case we are using a Vue SPA with a User store module
   // which has an action that handles everything on user logout
   // this.$store.dispatch("User/logOut");
   });

For our Vue app we put the 👆 code at the very top of the SPA, inside the beforeCreated hook

beforeCreate() {
  ...
}

Every time the user closes the SPA (tab/window) they are logged out. This would be for any application that has sensitive data and should always require login after "leaving" the app.

2. For a more flexible solution it dawned on me that a WebSocket API should be perfect for this type of "user session check". I haven't tested this yet. But essentially, once the user is authenticated, setup the duplex and from there it should be fairly simple to handle/track a wider range of scenarios for a user, e.g. "active", "about to be signed out" or "has passed token expiration" etc 🤷‍♂️ This could be tailored to any use case/project specific need. An since the API should write temporary database user sessions with a lambda, this would also work even if the user leaves the page (and isn't signed out at that point), since any "timer" could be stored statically in the backend and could be checked against in the frontend.

Remains to be seen 🤓

[stocaaro]

Related to #2458

[sokol8]

I have a situation where I need a call to Auth.currentAuthenticatedUser() or Auth.currentCredentials() trigger my custom token refresh handler.

Right now our Cognito is configured in the way that the token I get from Auth.currentAuthenticatedUser() is valid for just 5 minutes.

Inside Credentials.ts I found a brilliant line of code preventing token refresh to happen earlier. const CREDENTIALS_TTL = 50 * 60 * 1000; // 50 min, can be modified on config if required in the future

Do you guys think you will ever allow this to be configurable?

PS we don't really plan to have tokens valid for 5 minutes, but for debug purposes waiting for 50 minutes is kind of long.