Cookie renew ticket if it already exists (#22732)

2020-06-16 14:51:57 -07:00 · 2020-06-16 14:51:57 -07:00 · c330c0b37d
parent b40b1bb7b2
commit c330c0b37d
1 changed files with 10 additions and 4 deletions
--- a/src/Security/Authentication/Cookies/src/CookieAuthenticationHandler.cs
+++ b/src/Security/Authentication/Cookies/src/CookieAuthenticationHandler.cs
@ -141,12 +141,13 @@ namespace Microsoft.AspNetCore.Authentication.Cookies
                {
                    return AuthenticateResult.Fail("SessionId missing");
                }
-                _sessionKey = claim.Value;
-                ticket = await Options.SessionStore.RetrieveAsync(_sessionKey);
+                // Only store _sessionKey if it matches an existing session. Otherwise we'll create a new one.
+                ticket = await Options.SessionStore.RetrieveAsync(claim.Value);
                if (ticket == null)
                {
                    return AuthenticateResult.Fail("Identity missing in session store");
                }
+                _sessionKey = claim.Value;
            }

            var currentUtc = Clock.UtcNow;
@ -304,9 +305,14 @@ namespace Microsoft.AspNetCore.Authentication.Cookies
            {
                if (_sessionKey != null)
                {
-                    await Options.SessionStore.RemoveAsync(_sessionKey);
+                    // Renew the ticket in cases of multiple requests see: https://github.com/dotnet/aspnetcore/issues/22135
+                    await Options.SessionStore.RenewAsync(_sessionKey, ticket);
                }
-                _sessionKey = await Options.SessionStore.StoreAsync(ticket);
+                else
+                {
+                    _sessionKey = await Options.SessionStore.StoreAsync(ticket);
+                }
+
                var principal = new ClaimsPrincipal(
                    new ClaimsIdentity(
                        new[] { new Claim(SessionIdClaim, _sessionKey, ClaimValueTypes.String, Options.ClaimsIssuer) },