Open AndersAbel opened 4 months ago
So to restate, the problem is that the cookie handler can destroy your session before the cleanup job sees it, and thus your session never gets cleaned up.
I would expect that if the grant cleanup job was also running, it would see your expired tokens and clean them up still. Still, it would be better to have the cookie handler revoke tokens automatically instead.
Isn't there also a bug where the back channel notifications don't happen?
With serverside sessions and session coordination enabled there are four ways that a session can end:
For 1 and 2 any refresh token associated with the session is properly cleaned up. 3 is really up to the user to ensure that the back channel notification calls into the session coordination service.
For scenario number 4 it looks like we have a bug. The cookie handler will call RemoveAsync on the session store directly, which never invokes the session coordination service that is responsible for revoking the tokens.