Application load balancer session cookie's expiration is extremely high

quite an old question already but here are my 2 cents:

• invalidating a cookie is somehow just a set-cookie with an expired date, so I don't think you need to be able to read the cookie from the request to invalidate it. I have not tried but I would just do something likeSet-Cookie "AWSELBAuthSessionCookie-0=deleted;path=/;expires=Thu, 01 Jan 1970 00:00:00 GMT;"

• for the 2nd point (from @codematix), to logout you need to invalidate the auth cookie AND to redirect the user the logout page configured in your IDP (probably to also invalidate the tokens, otherwise the ALB would just revalidate the tokens and re-create a session). See https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html#authentication-logout-timeoutI think you are confusing the ALB session (JSESSIONID cookie if I recall correctly) with the auth session cookie here.

Once again I am no time to validate this but hope that helps :)

I too have the same question, in my case it is being set to Expires=Sat, 29 Aug 2071 22:16:30 GMT. And I am unsure, even when I have set the Session timeout to 14400 seconds which is about 4 hours in the ALB authenticate rule.

It is quite unexplainable as to why this large expiry time would be set despite an explicit smaller value.