Cookie Authentication Handler session key is re-used even when sign out is called before signing in
anarian opened this issue · comments
Is there an existing issue for this?
- I have searched the existing issues
It's related to #47503 but slightly different
Describe the bug
CookieAuthenticationHandler.HandleSignInAsync
re-uses the session key from the session store when a user signs in again.
This was fixed because of #22135, but if HttpContext.SignOutAsync
is called prior to signing in, the session ID is re-used even though it's been removed from the store. ITicketStore.RenewAsync
does not return whether the ticket was successfully renewed so the authentication handler expects the session to be present in the store.
Our application has use cases where the users may share devices (e.g. education, in schools), and the users may log in via IDP-initiated methods or directly from our application. We need to be able to sign them out and avoid re-using the session key between different users if a different user logs in.
Expected Behavior
The condition on line 339 should be changed to if (_sessionKey != null && !_signOutCalled)
to avoid re-using the session key if a sign out request is made.
Steps To Reproduce
No response
Exceptions (if any)
No response
.NET Version
8.0.204
Anything else?
No response