Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Session cookies with Identity Server

See original GitHub issue

Configuration

Version: 0.7.1
Integration: native, Kotlin
Identity provider: IdentityServer 4

Description

It appears that cookies are not stored or somehow ignored when trying to “stay logged in” and to recreate a session while using the custom tabs browser.

We are using the grant type code, with the scope “openid profile email api”. For actual authentication through the provided identity server login mask we are using the regular getAuthoriziationRequestIntent method and custom tabs.

    @TargetApi(Build.VERSION_CODES.LOLLIPOP)
    public Intent getAuthorizationRequestIntent(
            @NonNull AuthorizationRequest request) {
        return getAuthorizationRequestIntent(request, createCustomTabsIntentBuilder().build());
    }

However, when returning to the login mask after already logging in successfully, and basically telling identity server to maintain a session, it just does not remember and gives us a new session with new idrsrv.session cookie and .AspNetCore.Identity.Application cookie. Bildschirmfoto 2021-03-11 um 09 51 08

We would expect an immediate redirect. My understanding is, that custom tabs actually do store and use cookies, they even have shared cookie storage with chrome. So my question would be, if there are any known pitfalls or issues, that we might be overseeing, because at this point we are kinda dumbfounded.

Issue Analytics

State:
Created 3 years ago
Reactions:6
Comments:13

Top GitHub Comments

1reaction

brockallencommented, Jun 9, 2021

You should really discuss this with IdentityServer developers if you need further help as it’s a topic on how you write and configure your service.

Strictly speaking, it’s the feature of the ASP.NET Core cookie authentication handler, and not specifically IdentityServer.

1reaction

agologancommented, Jun 9, 2021

IsPersistent is IdentityServer-related. Not exactly sure how it looks in IdentityServer 4 but on IdentityServer3 it was directly on the AuthenticationOptions.CookieOptions.IsPersistent You should really discuss this with IdentityServer developers if you need further help as it’s a topic on how you write and configure your service.

Top Results From Across the Web

Sign-in — IdentityServer4 1.0.0 documentation

In addition to the authentication cookie, IdentityServer will issue an additional cookie which defaults to the name “idsrv.session”. This cookie is derived from ......

Authentication Session - Duende IdentityServer Documentation

This authentication session is based on ASP. ... Duende IdentityServer registers a cookie authentication handler by default for the authentication session.

c# - Why having cookies on token based authentication using ...

Your Identity Server application needs an authentication cookie (and session ID cookie) so that the front channel endpoints (authorize, ...

Cookies, tokens and session lifetime with Identity Server

As long as the user is active on the site, the session remains valid (i.e. we have a sliding session, it won't expire...

Q: How to properly work with cookies and sessions · Issue #701

What I currently have working: - Login on IdentityServer - Cookie lifetime 5 days - Go to site logs in, cookie lifetime session?...