end_session handling with server side sessions when cookie is blocked

[AndersAbel]

It is more and more common that browsers (I'm looking at you Safari) blocks cookies on cross-site navigations, especially if the user has not been active on the target site for some time. One such scenario is when a client redirects to the OP end_session endpoint. At the end_session endpoint, IdentityServer reads the session cookie to get the authentication properties that contains the list of active clients to notify. If the session cookie cannot be read, the default behaviour (can be changed with RequireAuthenticatedUserForSignOutMessage flag) is to display the logout page, but no other clients are notified. If cookies are blocked by the browser, that also disables the "last resort" of issuing a set-cookie header in the response in an effort to blindly remove the cookie.

The result of this is that the user is shown an assuring "you are logged out" message while they can still be logged in both to IdentityServer and other clients in the session.

If server side sessions are used and the client included an id_token_hint, it would be possible to find the information even if the session cookie is blocked. The id_token_hint contains the sub and sid and with those, it's possible to use the ServerSideSession.GetSessionsAsync() method to find the server side session. This would enable both notification to other clients as well as revocation of the IdentityServer session.