Expired server side sessions not deleted immediately

[goncalo-silva-prt]

I’m using server-side sessions in both IdentityServer (ServerSideSessions.RemoveExpiredSessions and ServerSideSessions.RemoveExpiredSessions are both enabled) and IdentityServer.BFF. I’ve noticed an issue related to session expiration and cleanup.

There seems to be a time window between when a session expires and when the cleanup job runs. During this period:

1. The session is invalid in IdentityServer (because it’s expired).
2. But the session is still considered valid in the BFF.

My expectation is that once the session is expired, it should be deleted and the backchannel logout should be triggered immediately (as described here).

In particular, I would expect that when DefaultSessionCoordinationService.ValidateSessionAsync detects that a session is invalid, it should also trigger the deletion process (and consequently backchannel logout), instead of relying on the cleanup job to run later.

I am aware that I could override ValidateSessionAsync to implement custom behavior, but I want to make sure I’m not missing any configuration or built-in mechanism.

[AndersAbel]

Thank you for raising this issue. We will follow up with the product team and get back to you.

[AndersAbel]

I've brought this up with the product team and got some explanations back. The server side session is represented as a record in the session store database. When the session is expired, two things could cause that to be detected:

1. If there is a request to IdentityServer, the code you found is executed and removes the session, including issuing back-channel logout notifications.
2. A back-ground job regularly executes and sends back-channel logout notifications for any sessions that has expired since last time it did run.

If you need quicker response time for session timeout, what you can do is to lower the frequency of the background job by changing IdentityServerOptions.ServerSideSessions.RemoveExpiredSessionsFrequency. The default value is 10 minutes.

[goncalo-silva-prt]

Hi, thanks for the clarification. However, what you mentioned in point 1 doesn’t seem to be happening on my side, even though IdentityServer is being called

Just to give a bit more context, this is what happens on my side:

• My UI checks whether the UI session is valid through /bff/user.
• If it’s valid, it tries to load user info (which triggers a call to IdentityServer).
• If IdentityServer returns 401 (i.e: session is expired), it goes back to step 1, and a infinite loop starts.

From the logs, I can see that IdentityServer is definitely being hit — the /connect/token endpoint is invoked repeatedly.
Each time, it finds the session in ServerSideSessionStore, but immediately after that it reports the session as invalid:

Duende.IdentityServer.EntityFramework.Stores.ServerSideSessionStore|DEBUG|Found 1 server-side sessions for {"SubjectId":"e16348e7-165d-4bec-9c2c-2779b1a17a5f", "SessionId":"CAF947AE2B6378DC7C904C69F0AA7FB1"} 
Duende.Identity.Infrastructure.Security.DefaultSessionCoordinationService|DEBUG|Due to missing/expired server-side session, failing token validation for subject id e16348e7-165d-4bec-9c2c-2779b1a17a5f and session id CAF947AE2B6378DC7C904C69F0AA7FB1

This sequence keeps repeating until the ServerSideSessionCleanup job runs.

You can check the logs bellow:

2025-10-08 08:40:00.9721|Duende.IdentityServer.Hosting.EndpointRouter|DEBUG|Request path /connect/token matched to endpoint type Token 
2025-10-08 08:40:00.9881|Duende.IdentityServer.Hosting.EndpointRouter|DEBUG|Endpoint enabled: Token, successfully created handler: Duende.IdentityServer.Endpoints.TokenEndpoint 
2025-10-08 08:40:00.9881|Duende.IdentityServer.Hosting.IdentityServerMiddleware|INFO|Invoking IdentityServer endpoint: Duende.IdentityServer.Endpoints.TokenEndpoint for /connect/token 
2025-10-08 08:40:00.9881|Duende.IdentityServer.Endpoints.TokenEndpoint|DEBUG|Start token request. 
2025-10-08 08:40:00.9881|Duende.IdentityServer.Validation.ClientSecretValidator|DEBUG|Start client validation 
2025-10-08 08:40:00.9881|Duende.IdentityServer.Validation.BasicAuthenticationSecretParser|DEBUG|Start parsing Basic Authentication secret 
2025-10-08 08:40:00.9881|Duende.IdentityServer.Validation.ISecretsListParser|DEBUG|Parser found secret: BasicAuthenticationSecretParser 
2025-10-08 08:40:00.9881|Duende.IdentityServer.Validation.ISecretsListParser|DEBUG|Secret id found: spa-bff 
2025-10-08 08:40:01.0070|Duende.IdentityServer.EntityFramework.Stores.ClientStore|DEBUG|spa-bff found in database: True 
2025-10-08 08:40:01.0070|Duende.IdentityServer.Stores.ValidatingClientStore|DEBUG|client configuration validation for client spa-bff succeeded. 
2025-10-08 08:40:01.0070|Duende.IdentityServer.Validation.ISecretsListValidator|DEBUG|Secret validator success: HashedSharedSecretValidator 
2025-10-08 08:40:01.0070|Duende.IdentityServer.Validation.ClientSecretValidator|DEBUG|Client validation success 
2025-10-08 08:40:01.0070|Duende.IdentityServer.Validation.TokenRequestValidator|DEBUG|Start token request validation 
2025-10-08 08:40:01.0168|Duende.IdentityServer.Validation.TokenRequestValidator|DEBUG|Start validation of refresh token request 
2025-10-08 08:40:01.0168|Duende.IdentityServer.EntityFramework.Stores.PersistedGrantStore|DEBUG|D8D97C9343BAC286387B4AFD6E071D8C5E95F6525A8A5DFC9F2C57033F522C24 found in database: True 
2025-10-08 08:40:01.0257|Duende.IdentityServer.EntityFramework.Stores.ServerSideSessionStore|DEBUG|Found 1 server-side sessions for {"SubjectId":"e16348e7-165d-4bec-9c2c-2779b1a17a5f", "SessionId":"CAF947AE2B6378DC7C904C69F0AA7FB1"} 
2025-10-08 08:40:01.0401|Duende.Identity.Infrastructure.Security.DefaultSessionCoordinationService|DEBUG|Due to missing/expired server-side session, failing token validation for subject id e16348e7-165d-4bec-9c2c-2779b1a17a5f and session id CAF947AE2B6378DC7C904C69F0AA7FB1 
2025-10-08 08:40:01.0781|Duende.IdentityServer.Validation.TokenRequestValidator|WARN|Refresh token validation failed. aborting, {"ClientId":"spa-bff", "ClientName":"UI BFF", "GrantType":"refresh_token", "AuthorizationCode":"********", "RefreshToken":"********", "Raw":{"grant_type":"refresh_token","refresh_token":"***REDACTED***"}} 

SECOND CALL

2025-10-08 08:40:01.1971|Duende.IdentityServer.Hosting.EndpointRouter|DEBUG|Request path /connect/token matched to endpoint type Token 
2025-10-08 08:40:01.1971|Duende.IdentityServer.Hosting.EndpointRouter|DEBUG|Endpoint enabled: Token, successfully created handler: Duende.IdentityServer.Endpoints.TokenEndpoint 
2025-10-08 08:40:01.1971|Duende.IdentityServer.Hosting.IdentityServerMiddleware|INFO|Invoking IdentityServer endpoint: Duende.IdentityServer.Endpoints.TokenEndpoint for /connect/token 
2025-10-08 08:40:01.1971|Duende.IdentityServer.Endpoints.TokenEndpoint|DEBUG|Start token request. 
2025-10-08 08:40:01.1971|Duende.IdentityServer.Validation.ClientSecretValidator|DEBUG|Start client validation 
2025-10-08 08:40:01.1971|Duende.IdentityServer.Validation.BasicAuthenticationSecretParser|DEBUG|Start parsing Basic Authentication secret 
2025-10-08 08:40:01.1971|Duende.IdentityServer.Validation.ISecretsListParser|DEBUG|Parser found secret: BasicAuthenticationSecretParser 
2025-10-08 08:40:01.1971|Duende.IdentityServer.Validation.ISecretsListParser|DEBUG|Secret id found: spa-bff 
2025-10-08 08:40:01.5060|Duende.IdentityServer.EntityFramework.Stores.ClientStore|DEBUG|spa-bff found in database: True 
2025-10-08 08:40:01.5060|Duende.IdentityServer.Stores.ValidatingClientStore|DEBUG|client configuration validation for client spa-bff succeeded. 
2025-10-08 08:40:01.5060|Duende.IdentityServer.Validation.ISecretsListValidator|DEBUG|Secret validator success: HashedSharedSecretValidator 
2025-10-08 08:40:01.5060|Duende.IdentityServer.Validation.ClientSecretValidator|DEBUG|Client validation success 
2025-10-08 08:40:01.5060|Duende.IdentityServer.Validation.TokenRequestValidator|DEBUG|Start token request validation 
2025-10-08 08:40:01.5060|Duende.IdentityServer.Validation.TokenRequestValidator|DEBUG|Start validation of refresh token request 
2025-10-08 08:40:01.7182|Duende.IdentityServer.EntityFramework.Stores.PersistedGrantStore|DEBUG|D8D97C9343BAC286387B4AFD6E071D8C5E95F6525A8A5DFC9F2C57033F522C24 found in database: True 
2025-10-08 08:40:01.7981|Duende.IdentityServer.EntityFramework.Stores.ServerSideSessionStore|DEBUG|Found 1 server-side sessions for {"SubjectId":"e16348e7-165d-4bec-9c2c-2779b1a17a5f", "SessionId":"CAF947AE2B6378DC7C904C69F0AA7FB1"} 
2025-10-08 08:40:01.7981|Duende.Identity.Infrastructure.Security.DefaultSessionCoordinationService|DEBUG|Due to missing/expired server-side session, failing token validation for subject id e16348e7-165d-4bec-9c2c-2779b1a17a5f and session id CAF947AE2B6378DC7C904C69F0AA7FB1
...

[AndersAbel]

Thank you for your follow up.

I should have been more clear in my description:

1. If there is a request from the browser to IdentityServer, the code you found is executed and removes the session, including issuing back-channel logout notifications.

When we fail the refresh token validation due to the session being expired, we obviously have all the information required to fire the back channel logout notifications right away. I'll bring this back to the team and ask them if there's something we can do.

[goncalo-silva-prt]

any update?

[AndersAbel]

The product team is looking into this, but I do not have any conclusion to share yet.