Extending a session is not working

[richarddavenport]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe the bug

Version 1.2.0 but also tried 1.3.1
We self host and use asp.net for our backend.

We call toSession and then pass the session.id to the extendSession endpoint. In the database, I can see the session.expires_at is updated to the correct time. We also extend the expiration of the cookie to match the expiration.

Here's the problem: I set the lifespan to "1m" for testing. During the 1 minute we extend the session (up to this point everything seems to be accurate). After 1 minute the initial 1 minute lifespan has passed we call toSession and the endpoint gives us back this error:

{Ory.Client.Client.ApiException: Error calling ToSession: {"error":{"code":401,"status":"Unauthorized","reason":"No valid session credentials found in the request.","message":"The request could not be authorized"}}

   at Ory.Client.Api.FrontendApi.ToSessionWithHttpInfoAsync(String xSessionToken, String cookie, String tokenizeAs, CancellationToken cancellationToken)
   at Ory.Client.Api.FrontendApi.ToSessionAsync(String xSessionToken, String cookie, String tokenizeAs, CancellationToken cancellationToken)
   at MBP.Api.Services.KratosService.WhoAmI(String cookie) in /monorepo/MBP/Api/Services/KratosService.cs:line 73}

But we are sending the same cookie that worked a few seconds prior.
Any guidance would be very helpful. Thanks.

Reproducing the bug

Run kratos, get a session.
Try to extend the session.
Wait until the original lifespan would have expired.
Call toSession with the cookie and we get the error.

Relevant log output

Relevant configuration

session:
  lifespan: 1m
  earliest_possible_extend: 45s

Version

1.2.1

On which operating system are you observing this issue?

Linux

In which environment are you deploying?

Docker

Additional Context

No response

[Hiroki6]

I'm also facing the same issue.
I debugged a bit, then saw the error below when retrieving a cookie from the CookieStore.

securecookie: expired timestamp

kratos/session/manager_http.go

Line 207 in c829295

return s.r.CookieManager(r.Context()).Get(r, s.cookieName(r.Context()))

Is it because the cookie stored in the CookieStore is not extended?

[Hiroki6]

I found a similar discussion.

#2559

[richarddavenport]

I found a similar discussion.

#2559

Thank you @Hiroki6.
Hoping someone will take a look at this one. I'm going to test restarting kratos after extending the session. If this works it tells me there is a problem in kratos itself and not the database or cookie.

[jonas-jonas]

The extend session endpoint is meant for active sessions only. If the session is expired, it cannot be extended anymore.

Is this what you're running into?

[richarddavenport]

The extend session endpoint is meant for active sessions only. If the session is expired, it cannot be extended anymore.

Is this what you're running into?

@jonas-jonas I don't think so. I know it sounds like that's whats happening. I can try and explain it better. I edited my initial post to possibly help clear it up.

Assuming 1 minute lifespan and a 45 second earliest_possible_extend:
0:00 -> Start Session --> 45 seconds later --> extend session --> 15 seconds later (now 1 minute total) --> session seems to be expired (but should not be)

[aeneasr]

Is this about tokens or cookies or both?

In what scenario did you find this feature working?

[Hiroki6]

This issue is related to cookies in my case.
I was able to resolve it by following these steps:

1. Extend the session by calling the /admin/sessions/{id}/extend endpoint (this endpoint doesn't do anything with cookie).
2. Call the whoami endpoint using the old cookie.
3. Replace the old cookie with the new one returned by the whoami endpoint. (this endpoint refresh and return the cookie if the expiration of the incoming cookie has a shorter expiration than the extended session).

The new cookie has the same expiration as the extended session.
I'm not sure if this is the proper way to extend a session along with the cookie, but it worked for me.

[richarddavenport]

@aeneasr This is for cookies I believe.

In what scenario did you find this feature working?

I'm not sure what you mean exactly. The feature doesn't seem to work the way I would have imagined it working… I would have thought to just call the extend session method and I could reuse the same cookie value. But it doesn't seem to work that way.

@Hiroki6 Thanks for explaining what you found. I tested and it does work.

It still seems very bizarre to me to jump through 3 different api endpoints to do something in what could be 1… Here is a snippet of our c# code to make this work:

    public async Task<ClientSession> WhoAmI(string cookie)
    {
        try
        {
            var value = WebUtility.UrlDecode(cookie);
            var session = await FrontendApi.ToSessionAsync(null, value);
            var extendedsession = await IdentityApi.ExtendSessionWithHttpInfoAsync(session.Id);
            var sessionHttpInfo = await FrontendApi.ToSessionWithHttpInfoAsync(null, value);
            if (session.ExpiresAt != extendedsession.Data.ExpiresAt)
            {
                _httpContextAccessor.HttpContext.Response.Cookies.ExtendKratosSessionCookie(sessionHttpInfo.Cookies[1].Value, sessionHttpInfo.Cookies[1].Expires);
            }

            return session;
        }
        catch (Exception ex)
        {
            _logger.LogError("Kratos Exception: {0}", ex);
            throw new KratosUnauthorizedException();
        }
    }

Is there any reason why it could just be one call to the api?