We have issue in our production environment where user was authenticated as another user who had logged in previously (even if the other user already logged out).
We use custom ITicketStore which will store the ticket in Redis and MySQL. We treat Redis as an optional to reduce MySQL traffic.
User will sign-in in endpoint called "Login", store ITicketStore, receive response cookie, and redirected to Duende IdentityServer middleware called AuthorizeCallbackEndpoint.
When user is redirected to this endpoint, we can see from application log that it retrieve ticket from ITicketStore using the correct key (The same key generated for them when they sign-in in "Login" endpoint). The response of this AuthorizeCallbackEndpoint is a cookie that shows current user is not the one that sign-in.
It seems that when ITicketStore retrieves the ticket using the correct key, it returns a wrong value (value that should be stored by another key, or even value that should be already removed in the Redis, as the other user already logged out). Which should be highly unlikely.
More detail can be seen here: https://github.com/DuendeSoftware/Support/issues/1101
We've tried to replicate the issue in another environment but cannot replicate. For context, we've used the Production environment for 6 months with no issue (at least not reported), until we get a report on 29th January 2024 that they see another user's data in their dashboard.
We've tried to run isolated performance test on the custom ITicketStore to see if we can trigger retrieving wrong value for a given key. The result is the Redis cache operation works normally with 11 parallel thread doing read and write repeatedly.
