SAK-49449 - Clear session on non-loopback launch (sakaiproject#12086)

Author: csev

plus/provider/src/main/java/org/sakaiproject/plus/ProviderServlet.java

@@ -491,7 +491,13 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response)
 			// Check if we are loop-backing on the same server, and already logged in as same user
 			Session sess = sessionManager.getCurrentSession();
 			String serverUrl = SakaiBLTIUtil.getOurServerUrl();
-			String ext_sakai_server = (String) payload.get("ext_sakai_server");
+			String iss = launch.tenant.getIssuer();
+			if ( StringUtils.equals(iss, serverUrl) ) {
+				log.debug("Running loopback id={} serverUrl={} iss={}", sess.getId(), serverUrl,iss);
+			} else {
+				sess.clear();
+				log.debug("Session cleared id={} serverUrl={} iss={}", sess.getId(), serverUrl,iss);
+			}
 
 			loginUser(ipAddress, user);