Linking/Unlinking of Offline Application not working properly

Question

After a successful & verified RemoveUserAuthentication call, requesting to establish an offline Link again, still remembers the PersonID removed and doesn't redirect to authorize the application again, however if you close the browser instance and restart it, it works properly (as expected) ie. will redirect to the ppe shell and propmts user to login with Live ID and to allow access for the App.

What I want to acheive is not having to close/restart the browser for the offline sharing disconnect/unlink to show that it actually was disconnected from HealthVault.

Here is my code for linking and unlinking the App

Link as follow in Page_Load
Guid personID;
Guid recordID;

//Get person ID and record ID
personID = PersonInfo.PersonId;
recordID = PersonInfo.SelectedRecord.Id;

//Save Person/Record IDs in Local DB
...

Then Unlink as follows:
//retrieve Person ID of Authenticated patient from local DB
Guid person = new Guid(personid);

// Establish the offline connection with only the person ID parameter
OfflineWebApplicationConnection offlineConn;
offlineConn = new OfflineWebApplicationConnection(person);
offlineConn.Authenticate();

// Remove the authorization
PersonInfo personInfo_offline = offlineConn.GetPersonInfo();               

personInfo_offline.SelectedRecord.RemoveApplicationAuthorization();

//Code to remove record from local DB
...

Answer 1

What happens when you refresh the browser?  I'm looking at your code and seeing this:

1. Person is signed in to your application (Online Connection), you have a PersonInfo cookie stored on your domain for the person. This cookie contains the Person and Record Ids.

2. You now are making an offline connection for the personId of the logged in person.  You are then calling RemoveApplicationAuthorization.

3. So now authorization is removed, but you still have the Online Connection cookie from the user logging in to your web site. What is the behavior when you try to perform an action on PersonInfo.SelectedRecord? You should get an access denied exception.  What is your point in disconnecting the user? Are you wanting them to sign in as someone else, or just cancel their account?

4. It looks like in your online scenario, you should you use the HealthInformationPage.SignOut http://msdn.microsoft.com/en-us/library/microsoft.health.web.healthservicepage.signout

Answer 2

Thanks Victor, if I refresh the browser after unlink, I get a handled InvalidPersonException (Connection already removed).

So how do I get rid of this cookie.  My point of disconnecting is to cancel the account (or give the user the ability to disconnect the app from HealthVault as best practice), without restarting the browser (a highly likely scenario).

I think a SignOut after RemoveApplicationAuthorization should remove/expire the PersonInfo Cookie, any specific example would be very helpful.

Regards

Answer 3

Can't you call SignOut?  In your code it looks like you're using HealthServicePage... just call this.SignOut ?

Answer 4

Yes I have called Microsoft.Health.Web.WebApplicationUtilities.SignOut(HttpContext.Current); and it works, although someone suggested the following:

"it appears that you are creating a new offline connection just for the removal of the authorization.  If you have already created a prior connection with the user information, that will still be valid while it still exists and is associated with the specified Person ID.  I would recommend that you use a single offline connection for all offline interactions for an individual user"

Problem solved, thanks.