This is basically what happened:
1) when you logged out of the other tab, you deleted the cookie that holds your "auth token", i.e., your authentication.
2) the other tab still had the auth token stored in a JavaScript variable, and sends that with each SOAP request, so it looked like you were still "logged in".
3) when you click on a link or do a "show original", the browser is actually doing an http GET, and it needs to send the cookie (which you deleted in 1), to the server to get access to the data. thus, you couldn't access them.
We've discussed work arounds for this issue, like the possible of having the cookie name be based on an account id, so you could login into multiple accounts in the same browser. We'd then have to modify the client code that does the GET to include the account id in the request, so the server knew which cookie to look at. |