Hi Jim,
My test suggest different result. It seems there is some configuration issues at you end.
Here is my test case :
1. Impersonator access impersonator resource /impersonator/index.asp and provides valid credential.
2. Once impersonator is logged in, he starts the impersonation and impersonates user - "impersonatee"
3. On successful impersonation, he is redirect to impersonatee resource /impersonatee/index.asp (note this realm has Impersonatioin related rules- impersonatestartuser & impersonationstart)
4. Now, the impersonator tries to access /impersonateeonly/ resource, i.e realm which doesn't have impersonation related rules - impersonatestartuser & impersonationstart) (Frame 10)
5. However, as the impersonation event/rule is not configured on /impersonateeonly/ realm, the impersonator user session is not valid and is thus redirected to the login page.
6. However, at this point unlike your test, neither of SMSAVEDSESSION or SMESSION is deleted (Frame 11)
7. Now, as the impersonator finds he doesn't have access to /impersonateeonly/ realm so he access the impersonatee resource which he has access to - /impersonatee/ (Frame 12)
8. From here, on he can now successfully end impersonation
So , as per my testing, there is no problem ending impersonatee session during error condition as well as no session is deleted.
I have attached the fiddler for your reference.
Please let me know if you questions.
Regards,
Ujwol