SessionQuery returns substring matches

[henrikottesorensen]

IdentityServer version

7.2.0

.NET version

.NET 8.0

Description

We have implemented a serverside session limit functionality on top of the built in server side management in IdentityServer. However, when it has been enabled, users have been logged out when they shouldn't be. Debugging it in non-production environments has been difficult, but with extensive logging in production and the code forced not to actually terminate sessions. We could finally see a pattern. It seems that the SessionQuery filter does a Contains check not an equality check.

var userSessions = await _sessionManagementService.QuerySessionsAsync(new SessionQuery
    {
        CountRequested = 10,
        SubjectId = "12345",
    });

This example from the documentation will not only match Sessions for the user with the subject Id 12345 but also user 123456, bob12345 or any other subjectId that contains the substring 12345. Is that really the intention? Seems a surprising behaviour to me, based on the documentation, and with how the PersistedGrantFilter works.

The Session Query filtering seems to be happening here: https://github.com/DuendeSoftware/products/blob/9acf4079dbc21f807cda52beb9a4b9bf77b479a6/identity-server/src/EntityFramework.Storage/Stores/ServerSideSessionStore.cs#L502

Reproduction steps

No response

Expected behavior

SessionQuery filtering would filter based on equality checks, if SubjectId, SessionId or DisplayName is supplied.

Logs

No response

Additional context

No response

[RolandGuijt]

The code you're referring to was written to accommodate searches from the UI. 'ApplyFilter' is called from 'QuerySessionsAsync' which is ultimately called from the (template or custom) UI. We used Contains to support partial matches as users type.
Avoiding calling UI related methods from the custom functionality you mention should solve the problem.