Feature Spotlight: Session Management

For our 6.1 we have added first class support for server-side sessions and better session management features.

The Problem

Normally when a user establishes an authentication session in the browser for an ASP.NET Core application, the state for that session is contained entirely within the cookie. This is also true for authentication sessions in Duende IdentityServer.

This means, by default, it’s difficult to perform advanced session management tasks such as:

  • Know how many or which users are actually logged in
  • Know which client applications your users have logged into
  • Remotely deactivate the user’s authentication session
  • Know if the user is active or inactive across the entire system
  • Log the user out across the entire system if they are inactive

If you have any of these session management requirements, then the default mechanics of the self-contained cookie presents an obstacle.

The Solution

To enable all of the above scenarios, sessions must be managed server-side. This has always been possible with ASP.NET Core, but our implementation is tuned for the role of IdentityServer as your OpenID Connect provider and OAuth token server, and includes tracking users, clients, and sessions.

By tracking sessions at IdentityServer, there is a central location to coordinate all the user’s sessions across all client applications. Additionally, as the user is active in client apps, there are a variety of protocol-friendly ways to track this activity.

When using server-side sessions, there are new services in IdentityServer that can be used to:

  • Query the current user sessions (including which client applications they are logged into)
  • End a user’s session (not only in IdentityServer, but also in the associated client applications)
  • Revoke any associated grants that were issued as part of a session (such as refresh tokens)
  • Detect when a user session is inactive and log the user out everywhere

Many of these features are compelling and are often required in certain industries (e.g. healthcare and banking). In addition, these session management features could allow for several higher-level security controls, such as administrative tooling, or logging a user out everywhere when needed (e.g. when a user changes their password).

This new feature is available now in the 6.1 preview. See below for the documentation and samples. Please give it a try!