Cookie authentication handler calls SessionStore.RenewAsync()
on sign in with expired session.
#41516
Closed
1 task done
Labels
area-auth
Includes: Authn, Authz, OAuth, OIDC, Bearer
Done
This issue has been fixed
✔️ Resolution: Fixed
The bug or enhancement requested in this issue has been checked-in!
Milestone
Is there an existing issue for this?
Describe the bug
The
CookieAuthenticationHandler
will callOptions.SessionStore.RemoveAsync(_sessionKey, ...)
during authentication as part ofReadCookieTicket()
if the ticket loaded from the SessionStore is expired.If during the same request we attempt to sign in again, the
HandleSignInAsync()
will callOptions.SessionStore.RenewAsync(_sessionKey, ...);
.Depending on the SessionStore implementation, RenewAsync might throw an exception if it expects the session to still exist at the time it is called.
This appears to be caused by the changes from #22732, attempting to fix #22135.
The only workaround I can think of is to design the implementation of RenewAsync such that it adds back the session if it no longer exists. Is this assumption correct? Is this even safe?
Expected Behavior
After calling
Options.SessionStore.RemoveAsync(_sessionKey, ...)
, the private_sessionKey
field ought to be reset to null. This way a new session is correctly stored on sign in.Steps To Reproduce
Exceptions (if any)
No response
.NET Version
6.0.202
Anything else?
No response
The text was updated successfully, but these errors were encountered: