search

spring-projects / spring-boot

Spring Boot
https://spring.io/projects/spring-boot
Apache License 2.0
74.59k stars 40.55k forks source link

Spring Boot - Redis Sessions not being properly deleted #42048

Closed dreamstar-enterprises closed 3 weeks ago

dreamstar-enterprises commented 3 weeks ago

Hi,

I have a Spring OAuth Client (BFF), between a Public Angular Client, and an Auth0 Authorization server. When I login, the BFF correctly persists the session to Redis (and with it, the Authorized Client, Security Context, and Authorized Request as attributes in the session)

When I logout though, only the contents of the Session get deleted, the key itself does not. Also nothing in the Sorted Set, ever gets deleted. I am positing here, as it might be a genuine bug.

Logout Handler

Here is my Logout Handler

@Component
internal class SessionServerLogoutHandler(
    private val sessionControl: SessionControl,
    private val sessionProperties: SessionProperties,
    private val csrfProperties: CsrfProperties,
) : ServerLogoutHandler {

    private val logger = LoggerFactory.getLogger(SessionServerLogoutHandler::class.java)

    override fun logout(exchange: WebFilterExchange, authentication: Authentication?): Mono<Void> {
        return exchange.exchange.session
            .flatMap { session ->
                logger.info("Logging out: Invalidating User Session: ${session.id}")

                val response = exchange.exchange.response
                sessionControl.invalidateSession(session)
                    .then(Mono.fromRunnable {

                        logger.info("Deleting Session Cookie: ${sessionProperties.SESSION_COOKIE_NAME}")

                        // delete the session cookie
                        val sessionCookie = ResponseCookie.from(sessionProperties.SESSION_COOKIE_NAME)
                        sessionCookie.maxAge(0)
                        sessionCookie.httpOnly(sessionProperties.SESSION_COOKIE_HTTP_ONLY)
                        sessionCookie.secure(sessionProperties.SESSION_COOKIE_SECURE)
                        sessionCookie.sameSite(sessionProperties.SESSION_COOKIE_SAME_SITE)
                        sessionCookie.path(sessionProperties.SESSION_COOKIE_PATH)
                        sessionCookie.domain(sessionProperties.SESSION_COOKIE_DOMAIN)
                        .build()
                        response.headers.add(
                            HttpHeaders.SET_COOKIE,
                            sessionCookie.toString()
                        )

                        logger.info("Deleting Session Cookie: ${csrfProperties.CSRF_COOKIE_NAME}")

                        // delete the CSRF cookie
                        val csrfCookie = ResponseCookie.from(csrfProperties.CSRF_COOKIE_NAME)
                        csrfCookie.maxAge(0)
                        csrfCookie.httpOnly(csrfProperties.CSRF_COOKIE_HTTP_ONLY)
                        csrfCookie.secure(csrfProperties.CSRF_COOKIE_SECURE)
                        csrfCookie.sameSite(csrfProperties.CSRF_COOKIE_SAME_SITE)
                        csrfCookie.path(csrfProperties.CSRF_COOKIE_PATH)
                        csrfCookie.domain(csrfProperties.CSRF_COOKIE_DOMAIN)
                        .build()
                        response.headers.add(
                            HttpHeaders.SET_COOKIE,
                            csrfCookie.toString()
                        )
                    })
            }
    }
}

SessionControl

It calls another call called SessionControl, and the invalidate session method. Here is that function

fun invalidateSession(session: WebSession): Mono<Void> {
        val sessionInformation = getSessionInformation(session)
        logger.info("Invalidating sessionId: ${sessionInformation.sessionId}")
        // handle the session invalidation process
        return sessionInformation.invalidate()
            .then(Mono.defer {
                webSessionStore.removeSession(sessionInformation.sessionId)
            })
            .doOnSuccess {
                logger.info("Session invalidated and removed: ${sessionInformation.sessionId}")
            }
            .doOnError { error ->
                logger.error("Error invalidating session: ${sessionInformation.sessionId}", error)
            }
    }

WebSessionStore

That inturn calls Websession Store, and it's removeSession method.

Here is the bean and the function:

@Bean(name = ["webSessionStore"])
fun webSessionStore(
    reactiveRedisIndexedSessionRepository: ReactiveRedisIndexedSessionRepository
): SpringSessionWebSessionStore<RedisSession> {
    return SpringSessionWebSessionStore(reactiveRedisIndexedSessionRepository)
}

@Override
public Mono<Void> removeSession(String sessionId) {
    return this.sessions.deleteById(sessionId);
}

reactiveRedisIndexedSessionRepository

The this.sessions above refers to the ReactiveRedisIndexedSessionRepository that was passed in the constructor of the WebsessionStore. Looking at the internals of the Spring ReactiveRedisIndexedSessionRepository I see this:

public Mono<Void> deleteById(String id) {
        return deleteAndReturn(id).then();
    }

    private Mono<RedisSession> deleteAndReturn(String id) {
        // @formatter:off
        return getSession(id, true)
                .flatMap((session) -> this.sessionRedisOperations.delete(getExpiredKey(session.getId()))
                        .thenReturn(session))
                .flatMap((session) -> this.sessionRedisOperations.delete(getSessionKey(session.getId())).thenReturn(session))
                .flatMap((session) -> this.indexer.delete(session.getId()).thenReturn(session))
                .flatMap((session) -> this.expirationStore.remove(session.getId()).thenReturn(session));
        // @formatter:on
    }

Session in Redis before

As you can see before I logout, the session is there in Redis.

enter image description here

Session in Redis after

After I call the logout handler, something has definitely happened, but the session is still there with its key, just no map of values apart from a single lastaccessed map key / value.

enter image description here

Further more nothing ever gets deleted from the SortedSet, which according to the 4th step in the deleteAndReturn method above, it should...

enter image description here

So, can someone help me understand where I may have gone wrong in my code?

philwebb commented 3 weeks ago

Thanks for getting in touch, but it feels like this is a question that would be better suited to Stack Overflow. As mentioned in the guidelines for contributing, we prefer to use GitHub issues only for bugs and enhancements. Feel free to update this issue with a link to the re-posted question (so that other people can find it) or add some more details if you feel this is a genuine bug.

dreamstar-enterprises commented 3 weeks ago

Hmmm. ok thanks Phil. It does look like a bug to me : ( I'll post it on stack overflow.