Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Filters for ServerSideSessionStore.QuerySessionsAsync #94

Closed
mortenvalvik opened this issue Jun 16, 2022 · 2 comments · Fixed by DuendeSoftware/IdentityServer#946
Closed

Filters for ServerSideSessionStore.QuerySessionsAsync #94

mortenvalvik opened this issue Jun 16, 2022 · 2 comments · Fixed by DuendeSoftware/IdentityServer#946
Assignees
@brockallen
Labels
bug report IdentityServer question

Comments

@mortenvalvik
Copy link

Which version of Duende IdentityServer are you using?
6.1.0

Which version of .NET are you using?
6.x.x

Describe the bug
We've been setting up the new server side sessions (by the way, great addition!), and found that when using the ServerSideSessionStore.QuerySessionsAsync, then the filters are not applied as we expected. (Also when used from the DefaultSessionManagementService.QuerySessionsAsync)

The filters only work if all of the 3 filters (SubjectId, SessionId, DisplayName) are set, if one is not set, then none of the filters will be applied.

To Reproduce
Create some sessions for different users, eg. bob and alice. Call serverSideSessionStore.QuerySessionsAsync(new SessionQuery { SubjectId = "{alice}" }); and both Alice and Bob sessions will be returned.

It can also be reproduced from the unittest ServerSideSessionTests.querysessions_on_ticket_store_should_use_session_store, simply change one of the sessions from Alice to Bob, and inspect that 3 sessions are still returned. Test will still pass since it compares count with tickets that also uses sessionStore.QuerySessionsAsync.

Expected behavior

Would expect only to get the sessions back that satisfy the filter, even if the filter is only set for one field e.g. SubjectId.

Additional context

A potential fix is changing the OR-operator to AND-operator in lines 340-343 in ServerSideSessionStore and different lines but same in InMemoryServerSideSessionStore from:

query = query.Where(x =>
                (filter.SubjectId == null || x.SubjectId.Contains(filter.SubjectId)) ||
                (filter.SessionId == null || x.SessionId.Contains(filter.SessionId)) ||
                (filter.DisplayName == null || (x.DisplayName != null && x.DisplayName.Contains(filter.DisplayName) == true))
            );

To:

query = query.Where(x =>
                (filter.SubjectId == null || x.SubjectId.Contains(filter.SubjectId)) &&
                (filter.SessionId == null || x.SessionId.Contains(filter.SessionId)) &&
                (filter.DisplayName == null || (x.DisplayName != null && x.DisplayName.Contains(filter.DisplayName) == true))
            );

I'll be happy to create this as a pull request.
@brockallen brockallen self-assigned this Jun 16, 2022
@brockallen
Copy link
Member

Thanks -- we'll have a look.

@brockallen brockallen mentioned this issue Jun 24, 2022
Merged
@brockallen
Copy link
Member

PR submitted. Thanks for reporting!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@brockallen brockallen

Labels
bug report IdentityServer question
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix incorrect filtering logic in QuerySessionsAsync DuendeSoftware/IdentityServer
2 participants
@brockallen @mortenvalvik