Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cookie storage limit problem with Cognito #10498

Open
3 tasks done
adilek opened this issue Oct 18, 2022 · 5 comments
Open
3 tasks done

Cookie storage limit problem with Cognito #10498

adilek opened this issue Oct 18, 2022 · 5 comments
Labels
Auth Related to Auth components/category Cognito Related to cognito issues feature-request Request a new feature Service Team Issues asked to the Service Team

Comments

@adilek
Copy link

adilek commented Oct 18, 2022

Before opening, please confirm:

JavaScript Framework

React

Amplify APIs

Authentication

Amplify Categories

auth

Environment information

# Put output below this line

Not relevant

Describe the bug

When Cognito user pool client id changes, new sign-in tries to create new cookie elements. Eventually it gets larger. Then CloudFront blocks it.

One possible solution would be clearing all Cognito related cookies before new signin.

There are already two tickets for this matter. But Amplify team seems ignore them. Not customer obsessive :)

#1545
#5330 (comment)

Expected behavior

No server-side error must happen.

Reproduction steps

To reproduce:

  1. Log in to your app using Cognito.
  2. Change the client id in Cognito.
  3. Login again.
  4. Repeat 1.

After 3rd iteration you get the error message from the CloudFront.

Code Snippet

// Put your code below this line.

Log output

// Put your logs below this line

aws-exports.js

No response

Manual configuration

No response

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

No response
@haverchuck
Copy link
Contributor

@adilek Are you using Cognito Hosted UI?

@haverchuck haverchuck added Auth Related to Auth components/category pending-triage Issue is pending triage labels Oct 18, 2022
@adilek
Copy link
Author

adilek commented Oct 19, 2022

@adilek Are you using Cognito Hosted UI?

We do not use hosted UI due its limitations. Instead we use APIs from Amplify to work with Cognito.

@tannerabread tannerabread self-assigned this Oct 20, 2022
@tannerabread tannerabread added the Service Team Issues asked to the Service Team label Oct 25, 2022
@chrisbonifacio chrisbonifacio removed the pending-triage Issue is pending triage label Oct 27, 2022
@chrisbonifacio
Copy link
Member

Hey @adilek 👋 thanks for raising this issue. We've opened an internal ticket with the Cognito team to see if this can be addressed on the service side or if they have any feedback/recommendations on how to mitigate it. Will respond back with any updates.

@chrisbonifacio chrisbonifacio added pending-response Cognito Related to cognito issues labels Oct 27, 2022
@tannerabread tannerabread added the feature-request Request a new feature label Dec 20, 2022
@tannerabread tannerabread removed their assignment Feb 28, 2023
@rdsedmundo
Copy link

rdsedmundo commented Jan 24, 2024
edited
Loading

I'm also getting this, CloudFront error is "494 ERROR The request could not be satisfied.", for what it's worth it.

LocalStorage is not a secure option for session storage and is discouraged by OWASP, it's a shame that after several years the Amplify/Cognito teams haven't addressed this. The first issue I could find on this dates from as early as Feb 2018.

#1545
amazon-archives/amazon-cognito-identity-js#688

This was referenced Jan 24, 2024
Open
Open
@rdsedmundo
Copy link

rdsedmundo commented Jan 24, 2024
edited
Loading

After some investigations I figured out that at least in our case, where the base tokens are not that big as we don't have lots of custom claims, that the issue is Amplify/Cognito not cleraing up device data from the storage, and it starts to pile up as you log out and log in again, especially when different accounts are used. Eventually you then hit the CloudFront limits.

The keys that keep repeating themselves are:

CognitoIdentityServiceProvider.{$USER_POOL_CLIENT_ID}.${COGNITO_USER_COGNITO_ID}.randomPasswordKey
CognitoIdentityServiceProvider.{$USER_POOL_CLIENT_ID}.${COGNITO_USER_COGNITO_ID}.deviceGroupKey
CognitoIdentityServiceProvider.{$USER_POOL_CLIENT_ID}.${COGNITO_USER_COGNITO_ID}.deviceKey
Screenshot 2024-01-24 at 12 41 45 PM

Those keys are saved even if the "Remember me" option is not checked.

@nadetastic nadetastic self-assigned this Jan 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Auth Related to Auth components/category Cognito Related to cognito issues feature-request Request a new feature Service Team Issues asked to the Service Team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@adilek @rdsedmundo @haverchuck @chrisbonifacio @tannerabread @nadetastic