4

I am using AFHTTPRequestOperationManager to get some data from our server. The server uses Basic authentication.

When the user logs into our app I set the credentials like this:

manager.credential = [NSURLCredential credentialWithUser:username password:password persistence:NSURLCredentialPersistenceForSession];

And then I make a request like this:

[manager GET:address parameters:nil success:^(AFHTTPRequestOperation *operation, id responseObject) {
    // ...
} failure:^(AFHTTPRequestOperation *operation, NSError *error) {
    // ...
}];

When I make the request the method connection:willSendRequestForAuthenticationChallenge: of the NSURLConnectionDelegate gets called (the method is implemented in AFURLConnectionOperation).

When the user logs out of the app and logs in again I set the credentials again from the user input. However, if this happens within 30 seconds of the previous successful request the credentials are not sent to authentication (connection:willSendRequestForAuthenticationChallenge: is not called). This means that the user can log out and then apparently log in even if the new credentials are incorrect since they are never checked.

If I wait at least 30 seconds there doesn't seem to be an issue (i.e. the credentials are checked and I get a 401 error).

Do I need to clear the credentials somehow when the user is logging out or am I going about it all wrong?

pajevic
  • 4,607
  • 4
  • 39
  • 73

1 Answers1

0

I had the exact same problem and found out that there's a connection to AFNetworking's AFHTTPRequestOperationManager's method shouldUseCredentialStorage which defaults to YES.
And since I didn't find a way to clear the credentials on logout, what I do now is just disable the credentialStorage altogether like this:

AFHTTPRequestOperationManager *manager = [AFHTTPRequestOperationManager manager];
manager.shouldUseCredentialStorage = NO;

Not sure if that's the best possible solution but works for me.

Lukas Spieß
  • 2,478
  • 2
  • 19
  • 24