Handling SSR Auth
Outline
- Current Signin Flow
- Using Remix
- Cookie/Session-Cookie
- Demo
Sigin Flow
Cognito Client SDK
Frontend
UI
Session Context
Cognito Client SDK
Frontend
UI
Session Context
Cognito Client SDK
Frontend
UI
Session Context
{
username: xxx:
pasword: xxx}
Cognito Client SDK
Frontend
UI
Session Context
{
username: xxx:
pasword: xxx}
AWS Cognito
Backend
POST https://cognito-idp.us-east-1.amazonaws.com/
generate idToken/refreshToken
Authorization: idToken
Using SSR
Cognito Client SDK
Frontend
UI
Session Context
{
username: xxx:
pasword: xxx}
AWS Cognito
Backend
POST https://cognito-idp.us-east-1.amazonaws.com/
generate idToken/refreshToken
Authorization: idToken
Backend
Cognito Client SDK
Frontend
UI
Session Context
Remix Server
query, guard...etc
stateless
Using SSR Issues
- Browser Api
- Authentication
- In local development, the token is cleared or lost after every hot reload, causing session issues
Remix
encrypt idToken & refreshToken and store in Cookie

4096 bytes
Cookie limits imposed by RFC A browser should be able to accept at least 300 cookies with a maximum size of 4096 bytes, as stipulated by RFC 2109 (#6.3), RFC 2965 (#5.3), and RFC 6265.
One domain
SessionId
Cookie
cookieHeader: __session=eyJzZXNzaW9uSWQiOiIwN2VjOTE0MS04MjVkLTRiZDAtYjk0OC01MzAyYjYzZmVhNDEifQ%3D%3D.1DD8empdMO6FOxXZ26Bv9WPmuDkoT%2FxuMmXNuYKqwhY; Path=/; HttpOnly; SameSite=Lax
memory/DB/Redis
{
xxxId:{
idToken:xxx,
refreshdToekn:xxx
}}
Micro Frontend

Demo
Ref
- https://repost.aws/questions/QUohnyWmF9Tiy8YdJx52sgww/cognito-does-not-support-the-rotation-of-refresh-tokens
Handling SSR Auth
By Jay Chou
Handling SSR Auth
- 191