Persistent cookies and server side sessions.

[AndersAbel]

If all of these features are used on the same time, I don't think we handle this correctly.

• Server side session
• Session lifetime coordination (enabling session renewal through refresh token usage)
• Persistent cookies (the remember me option).

The result is that even if the session's lifetime is extended server side, the cookie is not extended and could be removed as expired by the browser.

This might apply to the BFF server side session system too.

DuendeSoftware/Support#1417

[adamzest]

Hi

I'm not sure if its the same, but I may have run into a very similar problem - this is since upgrading from 7.0.8 to 7.1.0 (or later).

We have an issue where ServerSideTicketStore.RenewAsync occurs with the wrong (old) expiry from the token causing us to store the 'old' values for the token, and on subsequent requests, to consider the session expired when it isnt.

Having debugged it, it appears to be because it does a full login not a renew due to this change to AddClientIdAsync which now adds a clientid even if it already exists, causing a SingInAsync() which uses the existing expiry from the existing AuthenticationProperties (thus disabling the rolling extension of the expiry);
824a18d#diff-9edde2146bf1640c7c658a40afa16b2c082d4026d5dbd0000d4e44f67eee8f23

If I override the behaviour in DefaultUserSession to prevent adding the client id that already exists, then the renewal works as expected as CookieAuthenticationHandler renews the cookie, and then calls the session store in the FinishResponseAsync which updates our stored session with the new expiry.