You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Which version of Duende IdentityServer are you using?
6.1.0
Which version of .NET are you using?
6.x.x
Describe the bug
We've been setting up the new server side sessions (by the way, great addition!), and found that when using the ServerSideSessionStore.QuerySessionsAsync, then the filters are not applied as we expected. (Also when used from the DefaultSessionManagementService.QuerySessionsAsync)
The filters only work if all of the 3 filters (SubjectId, SessionId, DisplayName) are set, if one is not set, then none of the filters will be applied.
To Reproduce
Create some sessions for different users, eg. bob and alice. Call serverSideSessionStore.QuerySessionsAsync(new SessionQuery { SubjectId = "{alice}" }); and both Alice and Bob sessions will be returned.
It can also be reproduced from the unittest ServerSideSessionTests.querysessions_on_ticket_store_should_use_session_store, simply change one of the sessions from Alice to Bob, and inspect that 3 sessions are still returned. Test will still pass since it compares count with tickets that also uses sessionStore.QuerySessionsAsync.
Expected behavior
Would expect only to get the sessions back that satisfy the filter, even if the filter is only set for one field e.g. SubjectId.
Additional context
A potential fix is changing the OR-operator to AND-operator in lines 340-343 in ServerSideSessionStore and different lines but same in InMemoryServerSideSessionStore from:
Which version of Duende IdentityServer are you using?
6.1.0
Which version of .NET are you using?
6.x.x
Describe the bug
We've been setting up the new server side sessions (by the way, great addition!), and found that when using the
ServerSideSessionStore.QuerySessionsAsync
, then the filters are not applied as we expected. (Also when used from theDefaultSessionManagementService.QuerySessionsAsync
)The filters only work if all of the 3 filters (SubjectId, SessionId, DisplayName) are set, if one is not set, then none of the filters will be applied.
To Reproduce
Create some sessions for different users, eg. bob and alice. Call
serverSideSessionStore.QuerySessionsAsync(new SessionQuery { SubjectId = "{alice}" });
and both Alice and Bob sessions will be returned.It can also be reproduced from the unittest
ServerSideSessionTests.querysessions_on_ticket_store_should_use_session_store
, simply change one of the sessions from Alice to Bob, and inspect that 3 sessions are still returned. Test will still pass since it compares count with tickets that also usessessionStore.QuerySessionsAsync
.Expected behavior
Would expect only to get the sessions back that satisfy the filter, even if the filter is only set for one field e.g. SubjectId.
Additional context
A potential fix is changing the OR-operator to AND-operator in lines 340-343 in
ServerSideSessionStore
and different lines but same inInMemoryServerSideSessionStore
from:To:
I'll be happy to create this as a pull request.
The text was updated successfully, but these errors were encountered: