Cookie Expiration with Serverside sessions doesn't revoke tokens or send backchannel logout notifications
AndersAbel opened this issue · 2 comments
AndersAbel commented
With serverside sessions and session coordination enabled there are four ways that a session can end:
- Deliberate call to Logout on IdentityServer (could be due to /endsession called from a client or an upstream provider doing a front-channel logout or the user doing logout directly on IdentityServer.
- Session timed out and the background session cleanup job found it and removed it.
- An upstream provider notifies IdentityServer through back channel logout that there is a logout.
- Session timed out, the user makes a request and the Asp.Net Core cookie handler detects that the session is expired and removes it.
For 1 and 2 any refresh token associated with the session is properly cleaned up. 3 is really up to the user to ensure that the back channel notification calls into the session coordination service.
For scenario number 4 it looks like we have a bug. The cookie handler will call RemoveAsync on the session store directly, which never invokes the session coordination service that is responsible for revoking the tokens.