Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[Auth] [Critical] Authentication cookie lockup when multiple user data exists

See original GitHub issue

I’ve identified an edge case where “bad cookies” can cause a site to be prevented from loading (shows “pending” in Chrome DevTools Network tab) and is stuck indefinitely.

I’ve set Auth to use cookies for storage.

To Reproduce Steps to reproduce the behavior:

  1. (web) Create a new user
  2. (web) Log in as user
  3. (AWS console) Delete user in Cognito interface
  4. (web) Create new user

Expected behavior Website should be accessible.

Screenshots image

Note the set of two credentials in the cookies. The website is totally stuck until I remove the old set. I can even spin up a completely different web application that doesn’t even have Cognito, and when I surf to localhost:8080, it’s stuck due to these cookies. Once I remove the set of cookies for the user starting with 7fd32, the issue is gone and I can surf normally.

Why this would happen in the real world A user deletes their account, and then several days later, changes their mind and signs up again by creating a new account.

Desktop (please complete the following information):

  • OS: macOS 10.14.3
  • Browser: Chrome
  • Version: 72

Issue Analytics

  • State:closed
  • Created 5 years ago
  • Comments:12 (7 by maintainers)

github_iconTop GitHub Comments

1reaction
ffxsamcommented, Mar 18, 2019

I worked around this by explicitly calling Auth.logout() when a user logs out (or the app detects their account has been deleted or suspended).

0reactions
github-actions[bot]commented, Jun 11, 2021

This issue has been automatically locked since there hasn’t been any recent activity after it was closed. Please open a new issue for related bugs.

Looking for a help forum? We recommend joining the Amplify Community Discord server *-help channels or Discussions for those types of questions.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Using Auth Cookies in ASP.NET Core - Simple Talk
I found one issue in RevokeAuthenticationEvents. In ValidatePrincial method, you are removing the key in cache, if there is a match. If the...
Read more >
Use cookie authentication without ASP.NET Core Identity
Learn how to use cookie authentication without ASP.NET Core Identity. ... User property and run the Authorization Middleware for requests.
Read more >
c# - Why is the Authentication Cookie not working against the ...
The cookie authentication scheme is the one involved in redirecting users to the login page when authentication is required (e.g. through the [ ......
Read more >
10 Common Web Security Vulnerabilities - Toptal
Don't suffer through a security breach—take action before any problems arise. Master these 10 common web security vulnerabilities now.
Read more >
NIST Special Publication 800-63B
Therefore, when conducting authentication with a biometric, it is unnecessary to use two authenticators because the associated device serves as “something you ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

How to subscribe Create and Delete with <Connect />

Next page

Analytics: On web there's a new session every page load