Reputation: 31
What is the best way to detect that the identity server session has expired?
We have been using the checksession iframe but have been having issues with it detecting a session that has timed out due to inactivity. In our troubleshooting we've determined that idsrv4 has created a cookie called "idsrv.session" that the iframe polls. However, because of the cookie has no expiry date (session cookie), even after 30 minutes (our session length), the iframe still responds with "unchanged". We were attempting to set an expiry on this cookie but it seemed like the wrong approach. Any ideas?
Upvotes: 3
Views: 3500
Answers (1)
Reputation: 21
From http://openid.net/specs/openid-connect-session-1_0.html:
4.2. OP iframe
The OP browser state is typically going to be stored in a cookie or HTML5 local storage. It is origin bound to the Authorization Server. It captures meaningful events such as logins, logouts, change of user, change of authentication status for Clients being used by the End-User, etc. Thus, the OP SHOULD update the value of the browser state in response to such meaningful events. As a result, the next call to check_session() after such an event will return the value changed. It is RECOMMENDED that the OP not update the browser state too frequently in the absence of meaningful events so as to spare excessive network traffic at the Client in response to spurious changed events.
or more specifically
change of authentication status
Are you coming from Identity Server 3? In 3 this cookie had an expiration date. It was removed in 4 because the spec didn't call for it:
In IdSvr4 the entire UI for login will be the responsibility of the developer (you) and not the framework (us). So you can issue your own persistent cookie if you want.
(from https://github.com/IdentityServer/IdentityServer4/issues/193)
Brock Allen (Identity Server author) mentions that you can create your own cookie middleware to have additional control over your cookies:
The short answer as Dom said is to setup your own cookie middleware and let us know about it via this property: https://github.com/IdentityServer/IdentityServer4/blob/dev/src/IdentityServer4/Configuration/DependencyInjection/Options/AuthenticationOptions.cs#L21
(from https://github.com/IdentityServer/IdentityServer4/issues/662)
For this particular cookie you may need to implement the IUserSession interface (previously, ISessionIdService) and register it through DI.
Upvotes: 2
Related Questions
- Verifying session still valid with IdentityModel/IdentityServer4
- IdentityServer4 forced logout
- Identity Server 4 Signout - Token Lifetime
- When session should expire in Identity Server 4 with MVC client?
- IdentityServer4 cookie expiration
- Check if user is already authenticated in IdentityServer 4
- identityserver 3 setting up auto logout when idle time is exceeded
- Asp.Net Identity2, How to detect when the cookie expires
- How to know that access token has expired?
- Is the IdentityServer3 session configurable so it expires when the access token expires?