Using .NET WebBrowser control, why Salesforce.com logs the user in automatically after his/her session has been invalidated?

Question

I'm logging in users via REST in my .NET application. For that in the WebBrowser control constructor I do the following:

string server = "https://login.salesforce.com/";
var authURI = new StringBuilder();
authURI.Append(server + "services/oauth2/authorize?");
authURI.Append("response_type=code");
authURI.Append("&client_id=" + clientID);
authURI.Append("&redirect_uri=" + redirectURL);
webBrowser1.Navigate(authURI.ToString());

This works fine, the user is being presented the standard sfdc login screen, he/she logs in, I do all the flow to get the security token and the user is able to work with SFDC.

Interesting stuff happens after the user logs out, and tries to log in again (e.g. under a different name). At this point the security token (sessionId) has been revoked (I checked). He/she clicks the login button, the code above runs again, but instead of showing the SFDC login UI again, salesforce just logs the user in automatically and redirects to the RedirectURI, kicking off the login flow. Thus the user has no way to log in under different credentials... I was sure it was because of some cookie SFDC leaves behind, but after deleting all the cookies the user still gets logged in automatically... I also do this.Close(); this.Dispose(); on the WebBrowser control after logging in, so the next time it's instantiated - it's a brand new control...

Answer 1

Apparently, the HTTP session is still alive, despite the user has clicked the Log Out button. The session is managed by the underlying URLMON layer, so the new instance of WebBrowser stays on the same session. Try invalidating the session like this:

dynamic document = webBroweser.Document;
document.execCommand("ClearAuthenticationCache", false);

Do this before you dispose of the current instance of WebBroweser, there has to be a functional Document inside it for this to work.

More info: Understanding Session Lifetime.