ServerSideTicketStore.RenewAsync occurs with the wrong (old) expiry from the token

[adamzest]

IdentityServer version

Server Side Sessions not renewing

.NET version

9.0

Description

ServerSideTicketStore.RenewAsync occurs with the wrong (old) expiry from the token causing us to store the 'old' values for the token, and on subsequent requests, to consider the session expired when it isnt.

See DuendeSoftware/products#1622
Seems related to this change in 7.1:
DuendeSoftware/products@824a18d#diff-9edde2146bf1640c7c658a40afa16b2c082d4026d5dbd0000d4e44f67eee8f23

Reproduction steps

.AddServerSideSessions();
options.Authentication.CookieLifetime = 60;
options.Authentication.CookieSlidingExpiration = true;

Login - initial session is created
Make subsequent requests seeing that session is renewed (on every call, even though cookie has plenty of life left) with existing expiry. If the cookie is past its half life, it is still renewed with the original expiry.

Expected behavior

When cookie is over half of its age, sliding expiration should extend the cookie expiry, and this should result in the ticket being updated in the ServerSideSessionStore with the updated renewal and expiry times.

Logs

Logs from already logged in session. Session started 02/24/2025 12:19:21, with 60 minute expiry (request was after more than 30 minutes so should have extended session):

Duende.IdentityServer.Hosting.IdentityServerAuthenticationService: Debug: Augmenting SignInContext
Duende.IdentityServer.Stores.ServerSideTicketStore: Debug: Renewing AuthenticationTicket for key 9E9D17FCE832FC28C71D4BCB6A7E74459ACFAFAA577070D4EFA32406120B8DFF, with expiration: 02/24/2025 13:19:21
Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler: Information: AuthenticationScheme: idsrv signed in.

Additional context

Reverting to 7.0.x resolves the issue.

[bhazen]

Thanks for the report. After looking at the changes you referenced it appeared there was a logic change there which could be causing the behavior you're observing.

There are a few points I'd like to clarify to ensure I'm setting up my scenario to test this behavior similar to what you're observing:

1. Do you have CoordinateLifetimeWithUserSession enabled for the client for which you're observing this behavior or globally in IdentityServer?
2. After login, when you "Make subsequent requests seeing that session is renewed", what sort of request are you making? Are those backchannel requests from your client to IdentityServer, front channel requests to IdentityServer, or mix of the two?

[adamzest]

Hi @bhazen

No we are not setting CoordinateLifetimeWithUserSession. Its all front channel.

Our setup is that we have our IDP which implements IServerSideSessionStore. i.e. we do this:
.AddServerSideSessions()
options.Authentication.CookieLifetime = 60;
options.Authentication.CookieSlidingExpiration = true;

and our separate web app is an OIDC client.

The flow is:

• Access app - redirected to IDP for authentication
• IDP session created (1 hour sliding expiration), cookie issued, IServerSideSessionStore.CreateSessionAsync stores server side session in Redis
• Browser redirects to our app and is issued app auth cookie (30 min validity)
• After 30 mins...
• App session expires and user is redirected back to IDP where they are still have the remainder of their 60 mins IDP session

Expected (works on 7.0):

• Expected (working on 7.0) - sliding session extends, IServerSideSessionStore.UpdateSessionAsync(session) is passed the extended session and we update our store, and user is redirected back to app. The session.Expires has been extended.

Actual (7.1)

• because a re-signin happens due to the code change which is 're-adding' the client id that already exists, CookieAuthenticationHandler follows a different flow and ultimately passes the re-signed in (but not extended) token to IServerSideSessionStore.UpdateSessionAsync(session) which does not have an extended session.Expires and ultimately causes the sliding expiration to never increment.

[bhazen]

Thanks for the additional detail about the flow.

[bhazen]

I've opened bug on our internal backlog for this. Thanks again for reporting the issue and your efforts in troubleshooting things.

[josephdecock]

IdentityServer 7.1.1 was just released, fixing this issue. Thanks again for reporting it!