`/logout` cookie cleaning issues
Will956 opened this issue ยท 2 comments
Describe the problem
Hello ๐
I'm following up on that issue #446. We have the same issue on our side regarding requests concurrency that re-establishes appSession
cookie.
We first made sure that rolling
is set to false
to prevent that issue. But we found that the expiry of the cookie still actually changes on concurrent requests (see video).
Enregistrement.de.l.ecran.2023-03-21.a.16.51.18.mov
As you can see, it's always the milliseconds that get updated in a weird way. However, when debugging the SDK, it does update the cookie with the right expiry value as far as I can understand:
express-openid-connect:appSession cookieOptions {
httpOnly: true,
sameSite: 'Lax',
secure: false,
expires: 2023-03-28T15:42:54.000Z
}
Note: this behavior (milliseconds that get updated in a weird way) is not related to that SDK, this is the same behavior when setting cookies in general
We also tried to use a custom store (Redis), but it doesn't fix the issue.
My question is: do you see any other way to prevent requests concurrency from re-establishing appSession
cookie?
Thanks ๐
Environment
- Version of this library used: 2.12.1
- Which framework are you using, if applicable: Express
- Other modules/plugins/libraries that might be involved: connect-redis@7.0.1 / ioredis@5.3.1
Hi @Will956 - thanks for raising this
We also tried to use a custom store (Redis), but it doesn't fix the issue.
Concurrent requests might re-establish an appSession cookie even when you're using a stateful session store like Redis, but when you logout the session id in the appSession cookie will point to an entry that's been removed from the store, so you should not re-establish a session
Hey @adamjmcgrath, thanks for your quick response.
I did some tests, by using Redis and using a custom logout endpoint (but using res.oidc.logout()
under the hood) it does correctly clean the session and the cookie is not re-established.
By using the same setup, but not using a custom logout endpoint, it does sometimes re-establish the cookie.
Not sure why there is a difference between setting a custom logout endpoint or not with a custom store, but it fixes my issue ๐คทโโ๏ธ (maybe I got some luck there ๐).
But, as you said, if I encounter this issue again I should clear the corresponding key on the Redis store in a custom logout endpoint and it will clear the session.
I'm closing that issue, thanks again ๐ซถ