Server Side Session SQL Database

[caboodal]

IdentityServer version

7

.NET version

9

Description

We have setup server side sessions and have a single session database accessed by two different apps. Is this possible or does each app need its own session database?

Reproduction steps

No response

Expected behavior

No response

Logs

No response

Additional context

No response

[rasander]

If you use the OpenID Connect authorization code flow in system browser that shares cookies (ASWebAuthenticationSession on iOS, CustomTab on Android), you can have one serverside session in browser, and authorize the two mobile app clients with each their refresh_token. The two refresh_tokens belongs to the same serverside session.

[caboodal]

I understand the shared cookies across both apps and yes indeed the same cookies are shared I can view them via the browser.

To further describe the scenario we have the Backend For Front End framework in place and the call to /bff/user?slide=false fails on the 2nd app to login. If I refresh either app they are both still logged in and authenticated.

The entries from the log of the app that fails to call /bff/user is as follows: -

[2025-03-06 21:28:34Z DBG] Removing 2 server side sessions
[2025-03-06 21:29:09Z INF] Cookies was not authenticated. Failure message: Unprotect ticket failed
[2025-03-06 21:29:09Z DBG] Processing user request
[2025-03-06 21:29:09Z INF] Cookies was not authenticated. Failure message: Unprotect ticket failed
[2025-03-06 21:29:09Z DBG] User endpoint indicates the user is not logged in, using status code 401
[2025-03-06 21:29:09Z INF] HTTP GET /bff/user responded 401 in 21.6482 ms

These logs are from our local development environment but we get similar behaviour when deployed to Azure App Services. The only difference being that when we run locally we get 2 server sessions because the ApplicationName is different where as on the live database there is only ever one because the application name appears to be identical for both apps.

We have the server side sessions enabled via the AddEntityFrameworkServerSideSessions extension method and we use the same connection string in both our apps.

Our BFF configuration it is as follows in both app projects: -

            .AddBff(options =>
            {
                options.EnableSessionCleanup = true;
                options.SessionCleanupInterval = TimeSpan.FromMinutes(5);
                options.RevokeRefreshTokenOnLogout = true;
                options.BackchannelLogoutAllUserSessions = true;

                DuendeHelper.ApplyDuendeLicenseKey(builder, options);
            })

[caboodal]

OK after more hours of digging and running the SQL profiler I'm not sure this is an issue with the session store, although when you have two web apps running concurrently in Visual Studio you only ever get requests to the Session Store for the second app to login. I cannot find anyway to configure the application discriminator to overcome this.

[caboodal]

I realized that my cookie in both apps had the same name due to the code being shared between both apps!!

  .AddCookie("Cookies", options =>
  {
      options.Cookie.Name = "mycookiename";
  }

I've now given each app it's own name and everything is working as it should, sorry nothing to do with Duende!