Cookie Expiration with Serverside sessions doesn't revoke tokens or send backchannel logout notifications

[AndersAbel]

With serverside sessions and session coordination enabled there are four ways that a session can end:

1. Deliberate call to Logout on IdentityServer (could be due to /endsession called from a client or an upstream provider doing a front-channel logout or the user doing logout directly on IdentityServer.
2. Session timed out and the background session cleanup job found it and removed it.
3. An upstream provider notifies IdentityServer through back channel logout that there is a logout.
4. Session timed out, the user makes a request and the Asp.Net Core cookie handler detects that the session is expired and removes it.

For 1 and 2 any refresh token associated with the session is properly cleaned up. 3 is really up to the user to ensure that the back channel notification calls into the session coordination service.

For scenario number 4 it looks like we have a bug. The cookie handler will call RemoveAsync on the session store directly, which never invokes the session coordination service that is responsible for revoking the tokens.

[josephdecock]

So to restate, the problem is that the cookie handler can destroy your session before the cleanup job sees it, and thus your session never gets cleaned up.

I would expect that if the grant cleanup job was also running, it would see your expired tokens and clean them up still. Still, it would be better to have the cookie handler revoke tokens automatically instead.

[brockallen]

Isn't there also a bug where the back channel notifications don't happen?