Open Closed

Prevent Concurrent Login & Session Revocation not working #7786


User avatar
0
BenS-FreshRF created
  • ABP Framework version: v8.3.0-rc.1 (migrated from 7.2)
  • UI Type: Blazor WASM
  • Database System: EF Core (PostgreSQL)
  • Tiered (for MVC) or Auth Server Separated (for Angular): no
  • Exception message and full stack trace: No exceptions
  • Steps to reproduce the issue: Set the Session Management Prevent Concurrent Login setting to 'Logout from All Devices' Log out / log in again Open new browser window and log in, old browser window should be logged out but continues working Open new incognito browser window and log in, old browser windows should be logged out but continue working Open new instance of different browser (Firefox instead of Chrome) and log in, all Chrome windows should be logged out but continue working Navigate to Identity Management -> Users -> User sessions -> Revoke all Sessions If you Revoke the Session marked as 'Current' it correctly logs the user out But if all other Sessions are Revoked the other browser windows still continue working Revoking the 'Current' User Session from another browser window leaves zero sessions active but all browser windows continue working

End result is four active working browsers (2 in Chrome, 1 in Chrome Incognito, 1 in Firefox) with zero active sessions and Prevent Concurrent Login turned on. Refreshing any of the browsers causes the WASM page to reload, creating new sessions without asking for credentials.

Have logged on / off and restarted the Blazor and HttpApi.Host instance and rebuilt the project after setting the Prevent Concurrent Logins. Deleting all sessions out of the AbpSessions table also leaves all browsers active and logged in.


7 Answer(s)
  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    i could not reproduce the problem

    my steps:

    • abp new Qa7786 -u blazor -d mongodb --preview -v 8.3.0-rc.1
    • run projects and set Logout from All Devices

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    you can create a new project to compare what’s the difference

  • User Avatar
    0
    BenS-FreshRF created

    Have been comparing with a newly generated v8.3.0-rc.1 project, no major differences in any of the module configurations (other than the new DynamicClaims which I've implemented with no change).

    Where is the Session checking actually implemented in the client projects?

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    See https://abp.io/docs/latest/modules/identity/session-management#how-it-works

  • User Avatar
    0
    BenS-FreshRF created

    This still isn't working.

    I've got the Sessions correctly being removed from the database on user login in-line with the Logout from All Devices setting but those users still have access to the system. It times out after an hour of inactivity but users with an active valid session also are timing out after an hour of inactivity.

    Have upgraded to v8.3.0-rc.3 but still cannot see any changes between a new generated project and our solution in regards to modules imported and middleware being started.

    What specific part of the Blazor.Client is checking the session validity? Or is it going back to the Host running OpenIddict to check that?

  • User Avatar
    0
    BenS-FreshRF created

    So once thing I just noticed is a solid disconnect between our HttpApi.Host and the Blazor.Client. Restarting the API in debugging mode causes the authenticated user to not longer be logged in on the host side, but that same user can still use the Client page without reauthenticating and without any issue. This may be related to the fact that every login generates two sessions, which I assumed was normal behaviour (one for host and one for client) but now I'm not so sure.

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    could you share a minimal reproduceible project with me? i will check it.

    shiwei.liang@volosoft.com

Made with ❤️ on ABP v9.1.0-preview. Updated on December 12, 2024, 07:15