DuendeSoftware · josephdecock · Aug 30, 2022 · Aug 17, 2022 · Aug 17, 2022
diff --git a/src/EntityFramework.Storage/Stores/ServerSideSessionStore.cs b/src/EntityFramework.Storage/Stores/ServerSideSessionStore.cs
@@ -80,7 +80,7 @@ public virtual async Task CreateSessionAsync(ServerSideSession session, Cancella
             await Context.SaveChangesAsync(cancellationToken);
             Logger.LogDebug("Created new server-side session {serverSideSessionKey} in database", session.Key);
         }
-        catch (DbUpdateConcurrencyException ex)
+        catch (DbUpdateException ex)
         {
             Logger.LogWarning("Exception creating new server-side session in database: {error}", ex.Message);
         }
@@ -150,7 +150,7 @@ public virtual async Task UpdateSessionAsync(ServerSideSession session, Cancella
             await Context.SaveChangesAsync(cancellationToken);
             Logger.LogDebug("Updated server-side session {serverSideSessionKey} in database", session.Key);
         }
-        catch (DbUpdateConcurrencyException ex)
+        catch (DbUpdateException ex)
         {
             Logger.LogWarning("Exception updating existing server side session {serverSideSessionKey} in database: {error}", session.Key, ex.Message);
         }
@@ -180,7 +180,7 @@ public virtual async Task DeleteSessionAsync(string key, CancellationToken cance
             await Context.SaveChangesAsync(cancellationToken);
             Logger.LogDebug("Deleted server-side session {serverSideSessionKey} in database", key);
         }
-        catch (DbUpdateConcurrencyException ex)
+        catch (DbUpdateException ex)
         {
             Logger.LogWarning("Exception deleting server-side session {serverSideSessionKey} in database: {error}", key, ex.Message);
         }
@@ -239,7 +239,7 @@ public virtual async Task DeleteSessionsAsync(SessionFilter filter, Cancellation
             await Context.SaveChangesAsync(cancellationToken);
             Logger.LogDebug("Removed {serverSideSessionCount} server-side sessions from database for {@filter}", entities.Length, filter);
         }
-        catch (DbUpdateConcurrencyException ex)
+        catch (DbUpdateException ex)
         {
             Logger.LogInformation("Error removing {serverSideSessionCount} server-side sessions from database for {@filter}: {error}", entities.Length, filter, ex.Message);
         }

diff --git a/src/IdentityServer/Stores/Default/ServerSideTicketStore.cs b/src/IdentityServer/Stores/Default/ServerSideTicketStore.cs
@@ -61,6 +61,13 @@ public async Task<string> StoreAsync(AuthenticationTicket ticket)
 
         var key = CryptoRandom.CreateUniqueId(format: CryptoRandom.OutputFormat.Hex);
 
+        await CreateNewSessionAsync(key, ticket);
+
+        return key;
+    }
+
+    private async Task CreateNewSessionAsync(string key, AuthenticationTicket ticket)
+    {
         _logger.LogDebug("Creating entry in store for AuthenticationTicket, key {key}, with expiration: {expiration}", key, ticket.GetExpiration());
 
         var session = new ServerSideSession
@@ -77,8 +84,6 @@ public async Task<string> StoreAsync(AuthenticationTicket ticket)
         };
 
         await _store.CreateSessionAsync(session);
-
-        return key;
     }
 
     /// <inheritdoc />
@@ -121,7 +126,9 @@ public async Task RenewAsync(string key, AuthenticationTicket ticket)
         var session = await _store.GetSessionAsync(key);
         if (session == null)
         {
-            throw new InvalidOperationException($"No matching item in store for key `{key}`");
+            // https://github.com/dotnet/aspnetcore/issues/41516#issuecomment-1178076544
+            await CreateNewSessionAsync(key, ticket);
+            return;
         }
 
         _logger.LogDebug("Renewing AuthenticationTicket for key {key}, with expiration: {expiration}", key, ticket.GetExpiration());

diff --git a/test/IdentityServer.IntegrationTests/Hosting/ServerSideSessionTests.cs b/test/IdentityServer.IntegrationTests/Hosting/ServerSideSessionTests.cs
@@ -17,6 +17,10 @@
 using System.Collections.Generic;
 using System;
 using Microsoft.IdentityModel.JsonWebTokens;
+using Microsoft.AspNetCore.Authentication.Cookies;
+using Microsoft.AspNetCore.Session;
+using FluentAssertions.Common;
+using Duende.IdentityServer;
 
 namespace IntegrationTests.Hosting;
 
@@ -38,23 +42,37 @@ public class MockServerUrls : IServerUrls
         public string Origin { get; set; }
         public string BasePath { get; set; }
     }
-
+    public bool ShouldRenewCookie { get; set; } = false;
+
     public ServerSideSessionTests()
     {
         _urls.Origin = IdentityServerPipeline.BaseUrl;
         _urls.BasePath = "/";
-        _pipeline.OnPostConfigureServices += s => 
+        _pipeline.OnPostConfigureServices += s =>
         {
+            s.PostConfigure<CookieAuthenticationOptions>(IdentityServerConstants.DefaultCookieAuthenticationScheme, opts =>
+            {
+                opts.Events.OnValidatePrincipal = async ctx =>
+                {
+                    ctx.ShouldRenew = ShouldRenewCookie;
+                    if (ShouldRenewCookie)
+                    {
+                        await _sessionStore.DeleteSessionsAsync(new SessionFilter { SubjectId = "bob" });
+                    }
+                };
+            });
+
             s.AddSingleton<IServerUrls>(_urls);
             s.AddIdentityServerBuilder().AddServerSideSessions();
         };
         _pipeline.OnPostConfigure += app =>
         {
             _pipeline.Options.ServerSideSessions.RemoveExpiredSessionsFrequency = TimeSpan.FromMilliseconds(100);
 
-            app.Map("/user", ep => {
-                ep.Run(ctx => 
-                { 
+            app.Map("/user", ep =>
+            {
+                ep.Run(ctx =>
+                {
                     if (ctx.User.Identity.IsAuthenticated)
                     {
                         ctx.Response.StatusCode = 200;
@@ -122,6 +140,18 @@ public async Task login_should_create_server_side_session()
         (await IsLoggedIn()).Should().BeTrue();
     }
 
+    [Fact]
+    [Trait("Category", Category)]
+    public async Task renewal_should_create_new_record_if_missing()
+    {
+        await _pipeline.LoginAsync("bob");
+
+        ShouldRenewCookie = true;
+        (await IsLoggedIn()).Should().BeTrue();
+
+        (await _sessionStore.GetSessionsAsync(new SessionFilter { SubjectId = "bob" })).Should().NotBeEmpty();
+    }
+
     [Fact]
     [Trait("Category", Category)]
     public async Task remove_server_side_session_should_logout_user()