Why session deletion in database sso session store are not exact?

Using database sessions store, when calling Delete the SQL command is:
DELETE FROM [table_name] WHERE [session_id] LIKE [param_session_id]%

Why the usage of like and %?
The session id is not stored exactly in the database?

What’s stored in the SessionID is a combination of the SAML session cookie value and the type of the SAML session object. This supports those applications that act as both an IdP and an SP in which case there would be two rows. The SessionID for both rows would start with the same SAML session cookie value but would have different suffixes indicating the two SAML session object types for IdP vs SP session data.

The sessonID parameter to the Delete method is the SAML session cookie value only. In most cases there will be only one entry but we use the WHERE/LIKE clause to ensure, if there are two entries (IdP and SP session data), that both are deleted.

Thank you for the detailed response.
The session id + type concatenation is done in CreateSessionIDForType right?
So if I’m implementing my own database so session store and I’m only an SP, I can use “were = session-id” and skip the usage of CreateSessionIDForType? (inserting the session-id only)

Yes, the CreateSessionIDForType method concatenates the session ID and type to create a unique ID. If you’re an SP only you can skip using this method and use the session ID directly as the key into the table.

Thank you

You’re welcome.