I'm adding optional OpenID authentication to the system. Everything works smoothly with DotNETOpenID. Yet, I get an issue when:
- User logs into the web application using a standard login (FormsAutentication)
- User associates some OpenID with the account (we use programmatic OpenID logon here to get the claimed identity)
- User logs out of the FormsAuthentication and logs back in with the OpenID (using the Login control).
At the last step we get a replay attack error. I suspect that OpenID persists some information in the application store (to be used for requests) which is used to get the previous request, instead of starting a new one.
Could anyone help shed some light on the problem here?
If the issue is how I've understood it, how could I cleanup this specific state information after successfully binding the OpenID to account using the programmatic login (given that I've got successful request at hand)?