Giters

dotnet / aspnetcore

ASP.NET Core is a cross-platform .NET framework for building modern cloud-based web applications on Windows, Mac, or Linux.

Home Page:https://asp.net

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Cookie Authentication Handler session key is re-used even when sign out is called before signing in

anarian opened this issue · comments

commented

Is there an existing issue for this?

  • I have searched the existing issues

It's related to #47503 but slightly different

Describe the bug

CookieAuthenticationHandler.HandleSignInAsync re-uses the session key from the session store when a user signs in again.

This was fixed because of #22135, but if HttpContext.SignOutAsync is called prior to signing in, the session ID is re-used even though it's been removed from the store. ITicketStore.RenewAsync does not return whether the ticket was successfully renewed so the authentication handler expects the session to be present in the store.

Our application has use cases where the users may share devices (e.g. education, in schools), and the users may log in via IDP-initiated methods or directly from our application. We need to be able to sign them out and avoid re-using the session key between different users if a different user logs in.

Expected Behavior

The condition on line 339 should be changed to if (_sessionKey != null && !_signOutCalled) to avoid re-using the session key if a sign out request is made.

Steps To Reproduce

No response

Exceptions (if any)

No response

.NET Version

8.0.204

Anything else?

No response