Session appears to persists across multiple browsers, even in private mode

I’ve created an MVC Core app that authenticates against IdentityServer and uses a custom AuthUserSession along with the NetCoreIdentityAuthProvider to enforce and pass through authentication to the ServiceStack layer. A strange behaviour I encounter is that if I launch the site in a completely different browser under private browsing, it shows me incorrectly as authenticated at an ServiceStack endpoint, while it correctly identifies me as unauthenticated at the MVC controller endpoint.

Any thoughts as to why this might be happening? Is there something being cached in ServiceStack and how can the authenticated session persist between completely different browsers (though running on the same box)?

The NetCoreIdentityAuthProvider should only be creating an Authenticated UserSession if an Authenticated identity has been assigned to the Request:

Can you provide the raw HTTP Request/Response Headers of a Request you’re seeing this behavior in, can you also provide the full code you’re using to register NetCoreIdentityAuthProvider.

Otherwise ServiceStack NuGet packages are SourceLink enabled, which should make them easier to debug, Can you put a breakpoint on PreAuthenticate() and let me know if the claimsPrincipal attached to the request is authenticated, i.e. claimsPrincipal.Identity.IsAuthenticated == true.

Thanks. I was incorrectly passing the AuthUserSession as a property using the instance rather than a function to the constructor. All good now.

1 Like