DuendeSoftware / Support

Support for Duende Software products
21 stars 0 forks source link

Cross session issue on legacy app, using EF Persistent store #1464

Closed victorguidant closed 3 weeks ago

victorguidant commented 4 weeks ago

Which version of Duende IdentityServer are you using? 7.0.7

Which version of .NET are you using? 4.6.1 and 8 Describe the bug

We have a client configuration based on several url's for different apps (2 .net framework 4.6.1 and some other in .net 8). Older .NET framework apps have a different version of the OpenID package. Setup on Duende Identity uses EF persistent store.

.NET 4.x.x app, user logs in correctly, but if a user in a different computer access the same protected app URL in incognito or a browser that wasn't logged in yet, it doesn't ask the user to login, and redirects the user that was logged in before on a different computer.

.NET 8 apps doesn't store the grants in the database table, or they are added but removed almost immediately by identity server after redirected from the identity server to the client app.

To Reproduce

  1. User A, enters protected app URL (e.g. app.com/login).
  2. Login on Duende app.
  3. Logged into the protected app URL (e.g. app.com/protected-url).
  4. User B, from a different computer tries to access the protected app URL without login in first (app.com/protected-url).
  5. User B is able to see session and claims from User A without login in.

Expected behavior

User is prompted to login and not be able to access a session that was started by a different user in a different machine.

** Client config: Image

.NET 4.6.1 Open ID config:

Image

.NET 8 Open ID config: Image

garthvanderhouwen commented 3 weeks ago

Is there a version of the middleware that is recommended for .net 4.6.1/2 applications or is this no longer supported by Duende?

AndersAbel commented 3 weeks ago

This is indeed a weird bug. My first guess is that there is some kind of response caching on the .NET Framework apps that causes the session cookie to be incorrectly set on the second computer.

Could you run the flow and use the browser development tools to see what cookies are set for User A and User B?

The Microsoft.Owin packages are still supported and is the recommended way to connect a .NET Framework application to IdentityServer.

AndersAbel commented 3 weeks ago

Due to being sensitive, we are continuing this investigation through direct contact.