Monitor session and UserStore

[ascazzola]

Hello,

I have an identity server with some clients (Angular). I'm using

• MonitorSession = true and
• WebStorageStateStore = localstorage

I'm doing this steps:

1. Go to client1 and logged in with user1
2. In the same browser tab go to client2 and user1 is logged in (it is correct)
3. go to the logout and login with other user (user2) after it I automatically redirected to the client2
4. In the same browser tab I returned to the client1

The issue with it is:
the client1 get from localstorage the user1 and when the monitor session validate it with the querySessionStatus a logout is executed because the user.sub and sessionstatus.sub are different.

I'm trying to understand if localstorage and monitorsession can be used together and how can I avoid this issue. For now I'm using InMemoryStore to avoid it but I want to understand if is the correct behavior

Thanks in advance

[brockallen]

Well, I'm not sure there's a right answer for what's correct behavior. This is a library and you can use it in many ways to satisfy your requirements.

[ascazzola]

@brockallen thanks are compatible the monitorSession=true and the WebStorageStateStore = localstorage at the same time?

[brockallen]

Sure.

[ascazzola]

@brockallen I'm not understanding how can I avoid the issue that I explained with that configuration, when the monitorSession get from the UserManager.getUser() a user that was logged off in other client

[brockallen]

Well, this is why the default is to use sessionStorage for the user storage. They will remain isolated that way, and then your monitor session will detect that the user has changed.

[ascazzola]

@brockallen the issue happen with session storage too, because is persisted until the browser / tab is closed

[ascazzola]

@brockallen maybe my comment was not clear, the problem that I have is because the monitor session detects that the user has changed and trigger the log out, but the logout was already done in other client and I'm logged in with other user

[brockallen]

Never trigger logout automatically. Only when the user clicks logout.

[ascazzola]

@brockallen I follow the code and the _start method on the SessionMonitor calls

this._checkSessionIFrame = new this._CheckSessionIFrameCtor(this._callback.bind(this), client_id, url, interval, stopOnError);

and the _callback method get the user from the user manager and querySessionStatus and if the sub are different trigger the logout event, but in my case other user is logged in and the logout was done in other client, I will attach the logs

In brief when the next log is executed I don't understand how I should avoid the logout action and update the logged in user

Log.debug("SessionMonitor._callback: Different subject signed into OP:", session.sub);