Hi all, I have developed a login process with a 3rd party - SSO. This works. I can login fine. I have coded a logout process as well to just log out of the Umbraco website. Since the person can have multiple other sites/sources with the SSO I do not want to log them out of that until thats own session expires.

So what is the issue?

There are some cases where members have multiple accounts. When they login and then out while I perform steps to try and clear cookies and other aspects if they go and login again the previous Umbraco member is logged in.

• The third party SSO is logged in with the correct user
• When I debug the returned user (member) is the right one
• I run the Umbraco code to login and has no errors.
• Any time I output current logged in member it has the previous person.

The core login code:

        IMember umbracoMember = GetUmbracoMemberByID(userId);

• I am getting the Member with same name - This works.
• If there is no member I create one - This works.
• I ensure details are up to date, roles etc. - This works

I do the following for the login:

MemberIdentityUser memberIdentity = CreateMemberIdentityUser(umbracoMember);
        memberIdentity.IsApproved = true;

        await _memberSignInManager.SignOutAsync(); // just ensure we do sign anyone out
        await _memberSignInManager.SignInAsync(memberIdentity, false);

So I try and ensure they not logged in before logging in. This is an addition to what I had before trying to debug this issue.

This is the function I am running at logout:

public async Task<IActionResult> HandleLogout([Bind(Prefix = "logoutModel")] PostRedirectModel model)
    {
        // Handle both GET and POST requests for logout:
        if (Request.Method == HttpMethods.Get || Request.Method == HttpMethods.Post)
        {
            var isLoggedIn = HttpContext.User?.Identity?.IsAuthenticated ?? false;

            if (isLoggedIn)
            {
                // Trigger logout on the external login provider.
                // Do we need to implement this??

                // Trigger logout on this website.
                await _signInManager.SignOutAsync();

                // Clear temp data
                HttpContext.Session.Clear();
                TempData.Clear();

                // Ensure session clear
                //ClearUmbracoAuthCookies();
                DeleteAllCookies();
                HttpContext.Session.Clear();


                // Consider a specific redirect after logout:
                //return RedirectToCurrentUmbracoPage();
                return Redirect("/logout-director");
            }
        }

        // Not logged in, or error occurred:
        return CurrentUmbracoPage();
    }

But if I ensure the 3rd party CRM is logged out and login with a different user it remembers the old one.

While running local host if I stop and restart it will login to the correct user first time. There is some session of some sort holding the old one but I have no idea what it is. - I delete cookies - I clear tempdata - I clear session data? - I log out

Any help would be much appreciated.

Note: Logout-director was an attempt by me to go to a specific page and then from there do cookie and session clearing if there was an issue with the log out process. This did not work either.