Cloud front page is not redirecting and a new cookie is updated from behind.

[viyomasach]

I have set the session time to be 3600 seconds, when I login to the cloudfront url after 1 hour i.e. 3600 sec instead of redirecting me to the identity provider, it sends me to cloudfront url and when I check the cookie , I find that it has been updated starting from the current time to next 1 h0ur which is strange.

[payton]

Is it possible that you are still authenticated with the identity provider?

By that I mean it redirects you to the identity provider and immediately redirects to CloudFront since you are already authenticated with the identity provider.

[viyomasach]

But even if I am authenticated with identity provider, It works on the concept of expiry time of cookie. If I am accessing the cloudfront url after an hour, my cookie is technically expired and it should redirect me to the identity provider and resets my cookie.

[payton]

Correct. Isn't that what is happening, though?

You said that when you check the cookie, it has been updated such that the start time is the current time and it expires an hour from the current time. This would mean that the cookie has been reset.

[viyomasach]

Yes but instead of redirecting me to the identity provider it resets my cookie from behind with the current time which does not seem to be a valid scenario.

[payton]

Just to make sure I'm understanding you correctly, you are saying that it is setting the cookie without first redirecting to the identity provider?

If that's the case, I would ask that you first verify that you are not being redirected briefly (maybe record network activity in chrome to validate). There are only three places where the cookie is set in openid.index.js:

1. Received a request ending in /callback which should only come from the identity provider
2. Unauthorized scenario (sets cookie to empty)
3. Redirect to OIDC provider (sets cookie to empty)

The only scenario where we update the value to a signed JWT is scenario 1 at https://github.com/Widen/cloudfront-auth/blob/master/authn/openid.index.js#L169

[viyomasach]

Yes, You understood me correctly. This time I have set the cookie session to be 30 seconds When I open the cloudfront url first time, it took me to identity provider. When I open the cloudfront url after a minute again, it sends me to the same cloudfront url with out redirecting me to identity provider. When I checked the cookie 2nd time, it was set as the current time but the expiry time was apart 1 hour. I am not sure how it was set as 1 hour apart 2nd time, when the original session end time was 30 sec. Here are the screenshots of my cookie expiry timings for 1st and 2nd time.

[viyomasach]

Hey Payton, What I am not able to understand is : when the cookie is already expired according to session duration time, How does it get updated by itself in the backend when I open the page again?
Is there any way I can invalidate the cookie after the session ends?

[payton]

I'm definitely confused about the activity that you are noticing with the cookie renewing without redirecting to the OIDC provider. It may be helpful to check the CloudWatch logs for your lambda.

In terms of invalidating the cookie after the session, that's definitely possible. One option is to remove the cookie functionality altogether. You would simply redirect as soon as you have validation from the OIDC provider. Another option (probably cleaner) would be to create another Lambda@Edge function to execute on viewer response that will clear the cookie before reaching the user. This is probably the nicest way to do things without modifying existing code.

[payton]

Any update from your end, @viyomasach ?