DuendeSoftware/IdentityServer

Cookie Expiration with Serverside sessions doesn't revoke tokens or send backchannel logout notifications

AndersAbel opened this issue · 2 comments

With serverside sessions and session coordination enabled there are four ways that a session can end:

  1. Deliberate call to Logout on IdentityServer (could be due to /endsession called from a client or an upstream provider doing a front-channel logout or the user doing logout directly on IdentityServer.
  2. Session timed out and the background session cleanup job found it and removed it.
  3. An upstream provider notifies IdentityServer through back channel logout that there is a logout.
  4. Session timed out, the user makes a request and the Asp.Net Core cookie handler detects that the session is expired and removes it.

For 1 and 2 any refresh token associated with the session is properly cleaned up. 3 is really up to the user to ensure that the back channel notification calls into the session coordination service.

For scenario number 4 it looks like we have a bug. The cookie handler will call RemoveAsync on the session store directly, which never invokes the session coordination service that is responsible for revoking the tokens.