79819979

Date: 2025-11-14 11:37:45
Score: 3
Natty:
Report link

On the backend I explicitly expire all ALB authentication cookies:

var cookieNames = new[]
{
    "AWSELBAuthSessionCookie-0",
    "AWSELBAuthSessionCookie-1",
    "AWSELBAuthSessionCookie-2",
    "AWSELBAuthSessionCookie-3",
    "AWSALBAuthNonce"
};

var cookieOptions = new CookieOptions
{
    Expires = DateTimeOffset.UnixEpoch,
    HttpOnly = true,
    Secure = true,
    SameSite = SameSiteMode.None,
    Path = "/",
    Domain = cookieDomain
};

foreach (var name in cookieNames)
    Response.Cookies.Append(name, string.Empty, cookieOptions);

After clearing the cookies I generate the Cognito Hosted UI logout URL and redirect the user there.

However, even after expiring all AWSELBAuthSessionCookie- cookies and completing Cognito logout, ALB immediately re-creates new cookies and keeps the user authenticated for the full access-token lifetime configured on the ALB.*

Only when the access token expires does the user finally get redirected to the Cognito sign-in page. Until then, ALB continues to accept requests as authenticated.

Is there any way to force AWS ALB (with Cognito OIDC authentication) to immediately invalidate the authentication session after logout, instead of continuing to accept the existing access token until it naturally expires?

In other words, how can I make ALB stop re-issuing new AWSELBAuthSessionCookie-* cookies and redirect the user to the Cognito login page right after logout, without lowering the access-token TTL?

Reasons:
  • Blacklisted phrase (0.5): how can I
  • Blacklisted phrase (1): Is there any
  • Long answer (-1):
  • Has code block (-0.5):
  • Ends in question mark (2):
  • Low reputation (1):
Posted by: Andrey Kedrov