@ken-gunadi

I'm not sure I understand the issue. How does the user have a valid session in an application they aren't registered for?

What am I missing?