Skip to content

ATO-2024 Multi-session recovery #7264

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

ATO-2024 Multi-session recovery #7264

wants to merge 1 commit into from

Conversation

Joe-Edwards-GDS
Copy link
Contributor

Wider context of change

https://govukverify.atlassian.net/browse/ATO-2024

The V2 App introduces a new scenario where the app login session clashes with the original client session. In some cases (where the browser is the same) we may still be able to recover.

What’s changed

If

  • The client session in the state does not match the client session in the cookie
  • AND the client session in the state is an active client session
  • AND the client session in the state is linked to the active orch session

Then we continue processing and redirect to the RP using that client session.

N.B. this probably doesn't work as-is due to the need to go via the SPOT spinner which consumes the gs cookie.

Manual testing

TBD

Checklist

  • Successfully deployed to authdev

Related PRs

#6889

Joe-Edwards-GDS
Joe-Edwards-GDS commented Oct 7, 2025
View reviewed changes
ipv-api/src/main/java/uk/gov/di/authentication/ipv/lambda/IPVCallbackHandler.java
if (orchSession
.getClientSessions()
.contains(mismatchedEntity.get().getClientSessionId())) {
LOG.info("Recovering client session from state");
Copy link
Contributor Author

@Joe-Edwards-GDS Joe-Edwards-GDS Oct 7, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This might be where we need to update the gs cookie and possibly other state to make the SPOT spinner work.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, we'll need to work out how the auth frontend deals with this as well on the spinner page

@sonarqubecloud SonarQubeCloud
Copy link

sonarqubecloud bot commented Oct 7, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@CarlyG55 CarlyG55 CarlyG55 left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Joe-Edwards-GDS @CarlyG55