How do we check if the user's session has already expired?

[vinaykasireddy]

We are currently using the below function to logout in our application. The problem with this approach is, irrespective of whether the user is logged in or not (or you can say, his session is expired), it still redirects to logout page and does not provide a provision to come back. (It says "You are now logged out").

Is there any way to check if the user session has already expired so that instead of logging out, i can redirect for log in?

I guess i cannot use mgr.expired as that is used only for access_token.

$("#logout").click(function () { mgr.redirectForLogout(); });

[brockallen]

Look into the check session endpoint concept from the OIDC session management spec. This library doesn't provide any help today, but I have this open issue for it: https://github.com/IdentityModel/oidc-token-manager/issues/19

[vinaykasireddy]

That's a bit of pain to hear. Wondering how others are handling this situation? We really need to redirect the user to login if he is not active for the period of identity token life time. Any suggestions allen?

[vinaykasireddy]

Hi allen,

Found something useful from the below link. Can it be used for my problem? https://github.com/IdentityServer/IdentityServer3.Samples/tree/master/source/Clients/JavaScriptImplicitClient

[brockallen]

Yes, that's a sample that uses the check session endpoint.

[vinaykasireddy]

One more doubt. Can i confidently rely on the "exp" claim to maintain user session at the client side?

I also do not understand, even after the exp time out, it doesn't ask me to login again. I believe this is because of the "Idsrv" cookie in the browser, which doesn't seem to expire even if i try to expire (via cookieoptions) the cookie for every 20 min (= idenditytokenlifetime = Accesstokenlifetime). Expires field in the browser always shows "When the browser session ends" (even for 10 hrs default timeout). Am i missing anything here? Please suggest.

FYI, our oidc token manager communicates directly with identity server. No MVC API in the middle.

[brockallen]

Your client-side session is really up to you.

As for knowing when the user signs out of the token service, the other approach is to use the HTTP front-channel spec -- it's an alternative approach (and we just released support for it in IdentityServer in build 2.2).