AWS Amplify user session doesn't expire in ReactJS

Question

I'm working on creating a serverless website using ReactJS, with AWS Amplify for authentication, and AWS Cognito for the user pool.

I'm trying to get the site to sign users out if they haven't been active on the site for an hour (or if they close the tab and don't go back to the site for an hour). However, my users continue to be signed in even if I go to the site the next day.

I read in Amplify's documentation that Amplify automatically refreshes the token when it expires, but I couldn't find a way to disable that.

I would appreciate any help on this. I'm not really sure how to solve this.

Thank you.

Answer 1

According to cognito docs ( https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html#amazon-cognito-user-pools-using-the-refresh-token)

By default, the refresh token expires 30 days after your app user signs in to your user pool. When you create an app for your user pool, you can set the app's refresh token expiration (in days) to any value between 1 and 3650.

If you haven't changed the default, then Amplify will be able refresh the token for 30 days. Even if you change it to the minimum value of 1, Amplify will be able to refresh for 24 hours.

In order to track the expected session expiration time, even when the user closes the browser, you will need to store that data in a database. You could test that value with a lambda, and then use Auth.signOut() if necessary based on the response.

Answer 2

Looks like refresh tokens can now be set to expire after just 60 minutes. This can be set in User Pools->General settings->App clients-> Show details in the Cognito console.

I think this change was announced in August 2020, according to this post: https://aws.amazon.com/about-aws/whats-new/2020/08/amazon-cognito-user-pools-supports-customization-of-token-expiration/