/sessions endpoint doesn't work

[till]

Preflight checklist

• [X] I could not find a solution in the existing issues, docs, nor discussions.
• [X] I agree to follow this project's Code of Conduct.
• [X] I have read and am following this repository's Contribution Guidelines.
• [X] This issue affects my Ory Cloud project.
• [X] I have joined the Ory Community Slack.
• [X] I am signed up to the Ory Security Patch Newsletter.

Describe the bug

I am doing a request to get the user's active sessions:

await fetch('my-custom-domain/sessions', {credentials: 'include'});

The first time, I got a list of sessions and their state (active), but with each reload, less and less sessions are returned from the endpoint: now the call returns []. Which seems impossible, as I am still logged in. So it should return at least one.

I was able to replicate this locally with Kratos v0.10.1 — but instead of [], it returns null.

Reproducing the bug

There's more info in the Slack thread: https://ory-community.slack.com/archives/C012RJ2MQ1H/p1658740243417909

1. Log into your ory cloud project
2. Make this call:

await fetch('my-custom-domain/sessions', {credentials: 'include'});

Recent trace-id: uber-trace-id: 00000000000000006123c430bad16470:e98bcdf6d832cc5b:0:1

Relevant log output

No response

Relevant configuration

No response

Version

0.10.1

On which operating system are you observing this issue?

Ory Cloud

In which environment are you deploying?

Ory Cloud

Additional Context

No response

[till]

@aeneasr I see you made a PR, any idea what the other error is?

That the sessions count gets lower and lower with each request until no sessions (or nil) are returned?

I tried to look at the database code, and couldn't make much sense of it yet.

Specifically: https://github.com/ory/kratos/blob/aa6ef6decae05bb43107340a09b413bac1a76579/persistence/sql/persister_session.go#L51

Any pointers to what that is?

[aeneasr]

Hi @till - sorry, this issue slipped my mind. I will try to reproduce this problem!

[aeneasr]

Hi @till - I checked the code base and it looks as if the current session is excluded in the list sessions call. That's why the result is empty. I don't think it makes sense for it to be empty in this case, so we'll remove this exception to always show the active sessions!

[till]

@aeneasr That's closer to the docs then! 😃

What about the other: that I do a call and I start of with N and each time I do the call again it's decreasing?

I just had it again today: 1 active session, page reload, 0. I can reproduce this with Cloud and local Kratos.

[aeneasr]

Is it possible that the other session expires?

[till]

I thought about this too. Is there a cleanup that runs while it's queried?

[aeneasr]

Hm no, there is no clean up triggered by this API call

[till]

@aeneasr I finally found the cause for the my (original) bug report: I managed to iterate over everything in the list when it was loaded in the app and delete every item, which caused the bug of the sessions disappearing.

It deleted everything, except for the session in the browser because it currently doesn't show up in the list I think. I would probably ask for the "current session" to be included in the response of the whoami call (to match documentation), but I can make a new issue if you prefer and we can close this.

[aeneasr]

Sounds good let’s do it like that! :) Glad you found the issue