Giters

auth0 / express-openid-connect

An Express.js middleware to protect OpenID Connect web applications.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

`/logout` cookie cleaning issues

Will956 opened this issue Β· comments

commented

Describe the problem

Hello πŸ‘‹

I'm following up on that issue #446. We have the same issue on our side regarding requests concurrency that re-establishes appSession cookie.

We first made sure that rolling is set to false to prevent that issue. But we found that the expiry of the cookie still actually changes on concurrent requests (see video).

Enregistrement.de.l.ecran.2023-03-21.a.16.51.18.mov

As you can see, it's always the milliseconds that get updated in a weird way. However, when debugging the SDK, it does update the cookie with the right expiry value as far as I can understand:

express-openid-connect:appSession cookieOptions {
  httpOnly: true,
  sameSite: 'Lax',
  secure: false,
  expires: 2023-03-28T15:42:54.000Z
}

Note: this behavior (milliseconds that get updated in a weird way) is not related to that SDK, this is the same behavior when setting cookies in general

We also tried to use a custom store (Redis), but it doesn't fix the issue.

My question is: do you see any other way to prevent requests concurrency from re-establishing appSession cookie?

Thanks πŸ™

Environment

  • Version of this library used: 2.12.1
  • Which framework are you using, if applicable: Express
  • Other modules/plugins/libraries that might be involved: connect-redis@7.0.1 / ioredis@5.3.1
commented

Hi @Will956 - thanks for raising this

We also tried to use a custom store (Redis), but it doesn't fix the issue.

Concurrent requests might re-establish an appSession cookie even when you're using a stateful session store like Redis, but when you logout the session id in the appSession cookie will point to an entry that's been removed from the store, so you should not re-establish a session

commented

Hey @adamjmcgrath, thanks for your quick response.

I did some tests, by using Redis and using a custom logout endpoint (but using res.oidc.logout() under the hood) it does correctly clean the session and the cookie is not re-established.

By using the same setup, but not using a custom logout endpoint, it does sometimes re-establish the cookie.

Not sure why there is a difference between setting a custom logout endpoint or not with a custom store, but it fixes my issue πŸ€·β€β™‚οΈ (maybe I got some luck there πŸ˜„).

But, as you said, if I encounter this issue again I should clear the corresponding key on the Redis store in a custom logout endpoint and it will clear the session.

I'm closing that issue, thanks again 🫢