search

DuendeSoftware / Support

Support for Duende Software products
20 stars 0 forks source link

[Question] How to "manually" check if user already logout from identity server? #1322

Open ktutnik opened 1 week ago

ktutnik commented 1 week ago

Which version of Duende IdentityServer are you using? v6

Which version of .NET are you using? v7

Question We are planning to use Server Side Session and be able to logout user session from other device. Everything was fine until one of our old application (ASP.NET MVC 4.0) which maintain its own session, the application used identity server to login and after the login successfull it maintain the session itself using FormsAuthentication.SetAuthCookie. So removing server side session for this application wont make the user log out, because the application totaly disconnected with the Identity Server.

Im thinking of a way to "intercept" the request from Global.asax for each request, but the problem is how do I "manually" check if the current user already logout from the identity server.

RolandGuijt commented 6 days ago

When a server-side web client authenticates two sessions will be created which means two cookies: one by the client itself and one by the identity provider (provided it doesn't exist yet). When the one set by the client expires, the identity provider cookie still may exist. If that's the case a new session can be automatically created by the client without the need for the user to login again. What your old application is doing (setting the cookie) is correct and it is also what new applications are doing.

As long as the client cookie doesn't expire or is deleted the application will function without the identity provider being involved. Only when the cookie is expired/deleted the identity provider will be contacted. When the identity provider's cookie is still valid and server side sessions is enabled at that moment the store will be checked to see if the session is still valid or not. And when it's not the user will see the login page again.

Having said that, when a session is actively removed from the store you probably don't want to wait for the client cookie to expire. So when that happens a backchannel logout occurs if that is configured for the client.

Hope that helps, let me know if you have questions.