Hi, We have the following setup:

• Nuxeo running in an embedded iFrame, which is a part of our application
• To use out application, the user must log in to it
• To use Nuxeo, the user clicks on a dedicated button, which causes the iFrame to SSO to Nuxeo, using currently logged in user's credentials

The problem is that:

• user A logs in to our application
• user A clicks the iFrame button
• iFrame related code explicitly sends auth request with A's credentials to nuxeo/nxstartup.faces
• the auth is handed to our SSO plugin, and upon successful auth A gets into Nuxeo
• user A logs out of our application
• user B logs in to our application
• user B clicks the iFrame button
• iFrame related code explicitly sends auth request with B's credentials to nuxeo/nxstartup.faces
• —»> Nuxeo consumes the auth request, and lets user B in, while displaying user 'A' as the one being logged in; looking into server.log confirms that the auth reuest for user B never reaches our SSO plugin

Could anyone please advise on how to resolve the issue ? p.s.

• I have tried to delete the JSESSIONID cookie from within the main application code, but I cannot even see it (I think it is because our application and Nuxeo are on different domains.
• if I am not mistaken this has nothing to do with the use of an iFrame, i.e. I can reproduce by pasting the URLs the iFrame submits its requests to in a plain browser tab and get same results