We have an aspx page with some Page_Load code that calls a third party's TokenGenerator.aspx page to generate an SSO token
private string GetSSOToken()
{
using (WebClient client = new WebClient())
{
//serverUri is https://theirsite.com/Token.aspx, ssoRequestParam is a NameValueCollection
byte[] responsebytes = client.UploadValues(serverUri.AbsoluteUri, "POST", ssoRequestParam);
var ssoToken = Encoding.UTF8.GetString(responsebytes);
return ssoToken;
}
}
The returned ssoToken is added to a URL used as an iframe src. It ends up looking like this:
var frameUrl = "https://theirsite.com/SSO.aspx?ssotoken=returnedToken";
frame.Attributes["src"] = frameUrl;
The page then loads in the browser and all is well. This has been working fine for awhile.
Now we need to add a way to logout of the SSO.aspx. In our Logout() method when logging out of our application, I try calling their logout page:
using (WebClient client = new WebClient())
{
var logoutUrl = "https://theirsite.com/SSO.aspx?logout=true";
var s = client.DownloadString(logoutUrl);
}
But the logout never happens; their application doesn't show the logout happening, and I can paste the frameUrl into a browser and see the page still.
As a test, this works to logout:
Generate the frameUrl.
Copy/paste the frameUrl into a browser: it loads fine.
In a new separate window, paste the logoutUrl: logout does not happen, can still load frameUrl.
In another tab of the same browser, paste the logoutUrl: logout happens, frameUrl gives appropriate "token expired" message.
So I am guessing this is because the first WebClient session is not the same as the second WebClient session... but I am not sure how to reuse the first session during logout.
