spring-session icon indicating copy to clipboard operation
spring-session copied to clipboard
verified publisher icon spring-projects

Documentation for RP Initiated Logout, and Index Session Deletion from Redis, when session naturally expires

Open dreamstar-enterprises opened this issue 1 year ago • 0 comments

Expected Behavior

My Spring BFF sort of almost works (I'm now in month 3 of trying to create a robust login page).

Explicit Logout

When I explicity logout, the following function gets called, and so the session is deleted from (i) namespace > sessions, (ii) namespace > sessions > expires, (iii) namespace > sessions > session id > idx, (iv) and namespace > sessions > expiration (sorted set)

https://github.com/dreamstar-enterprises/docs/blob/master/Spring%20BFF/BFF/src/main/kotlin/com/frontiers/bff/auth/handlers/SessionServerLogoutHandler.kt#L40

Which calls this and this:

https://github.com/dreamstar-enterprises/docs/blob/master/Spring%20BFF/BFF/src/main/kotlin/com/frontiers/bff/auth/sessions/SessionControl.kt#L51

https://github.com/dreamstar-enterprises/docs/blob/master/Spring%20BFF/BFF/src/main/kotlin/com/frontiers/bff/auth/sessions/SessionControl.kt#L53

Which calls this and this:

https://github.com/spring-projects/spring-session/blob/main/spring-session-core/src/main/java/org/springframework/session/web/server/session/SpringSessionWebSessionStore.java#L162

https://github.com/spring-projects/spring-session/blob/main/spring-session-core/src/main/java/org/springframework/session/web/server/session/SpringSessionWebSessionStore.java#L100

Which both ultimately call this:

https://github.com/spring-projects/spring-session/blob/main/spring-session-data-redis/src/main/java/org/springframework/session/data/redis/ReactiveRedisIndexedSessionRepository.java#L387

The 4 delete methods in here get called

https://github.com/spring-projects/spring-session/blob/main/spring-session-data-redis/src/main/java/org/springframework/session/data/redis/ReactiveRedisIndexedSessionRepository.java#L391

The following also gets called to do an RP Initiated Logout (to end the session that exists with the Auth0 Authorization server too)

  • the delete BFF session, delete 2 cookies here:

https://github.com/dreamstar-enterprises/docs/blob/master/Spring%20BFF/BFF/src/main/kotlin/com/frontiers/bff/auth/handlers/SessionServerLogoutHandler.kt

  • the logout from the auth server here (RP Initiated Logout):

https://github.com/dreamstar-enterprises/docs/blob/master/Spring%20BFF/BFF/src/main/kotlin/com/frontiers/bff/auth/handlers/oauth2/OAuth2ServerLogoutSuccessHandler.kt

Natural BFF session expiration

But how do I do the above, when the BFF session reaches its natural expiration time. When this happens Redis still leaves the following

enter image description here

Also the Auth0 session is never logged out from (so if the person logs in again via the Spring BFF, and the Auth0 session is still valid, and it will silently login without showing the Auth0 login page)

dreamstar-enterprises avatar Sep 07 '24 10:09 dreamstar-enterprises