brockallen
commented
9 years ago Dunno -- let's ask @klings
Closed jlegan closed 9 years ago
brockallen
commented
9 years ago Dunno -- let's ask @klings
jlegan
commented
9 years ago I did. I saw you reference the project in an enhancement request in the past so I thought I would toss it here to the team as well. I will update the question when I find the solution.
On Friday, August 21, 2015, Brock Allen notifications@github.com wrote:
Dunno -- let's ask @klings https://github.com/klings
— Reply to this email directly or view it on GitHub https://github.com/IdentityServer/IdentityServer3/issues/1765#issuecomment-133566528 .
klings
commented
9 years ago I assume you don't use ASP.NET sessionstate in IdentityServer @brockallen, @leastprivilege?
brockallen
commented
9 years ago In idsvr? Hell no.
-Brock
On Aug 22, 2015, at 5:37 PM, André N. Klingsheim notifications@github.com wrote:
I assume you don't use ASP.NET sessions in IdentityServer @brockallen?
— Reply to this email directly or view it on GitHub.
klings
commented
9 years ago Just checking. :)
klings
commented
9 years ago My first impression was that he'd mixed IdSrv and NWebsec. After some fine-reading I realized the issue must lie in a different app. I (unfortunately) don't think we can blame this one on IdSrv. We'll try to figure out what's going on in NWebsec/NWebsec#65.
jlegan
commented
9 years ago Brock,
I am working with Andre on this at the link above but I just came across this thread form 2014. Again, not an Identity Server issue but I suspect a similar root cause if this comes up again. I will post back here when a solution is in hand.
https://github.com/IdentityServer/IdentityServer3/issues/294
Thanks,
Jim
jlegan
commented
9 years ago Brock,
Adding the following to my Global.asax fixed the issue.
protected void Session_Start(object sender, EventArgs e)
{
// required in order to allow the NWebSec session security package to work when using OIDC and cookies for authentication.
}In the client app or in IdSvr?
jlegan
commented
9 years ago Client app. It has something to do with how MVC and the UseOpenIdConnectAuthentication along with UseCookieAuthentication affects the Session object and for some reason including and empty Session_Start in the Global.asax of the MVC solution fixes it. Not IdSvr related but useful nugget of info in case someone asks again.
brockallen
commented
9 years ago Ah ok. Yes, I see now -- the katana middleware does not play well with cookies issued by MVC/ASP.NET.
I set out to implement most of the NWebsec project (CPS, HPKP, HSTS and Session Security) and everything worked well until I added Session Security. It is an attempt at session fixation mitigation and it appears that the massaging of the identity is invalidating the user which then redirects me back to the IdP. Has anyone used the SessionSecurity package for NWebsec and if so how did you get it to work with OIDC in MVC?