Using NSURLCredentialPersistenceForSession while request and then clearing the credentials on logout still persist the cerdentials

Question

I am using NSURLCredentialPersistenceForSession within didReceiveAuthenticationChallenge of NSURLConnection delegate method while login. Now when I logout and use this code for clearing the storage..

NSURLCredentialStorage *credentialStorage = [NSURLCredentialStorage sharedCredentialStorage];

 NSDictionary *credentialsDicationary = [credentialStorage allCredentials];

NSLog(@"credentialsDicationary..%@",[credentialsDicationary description]);



 for (NSURLProtectionSpace *space in [credentialsDicationary allKeys]) {

      NSDictionary *spaceDictionary = [credentialsDicationary objectForKey:space];

    NSLog(@"spaceDictionary..%@",[spaceDictionary description]);



      for (id userName in [spaceDictionary allKeys]) {

           NSURLCredential *credential = [spaceDictionary objectForKey:userName];

           [credentialStorage removeCredential:credential forProtectionSpace:space];

      }

 }

But when I suddenly login again exactly after logout the login happens with wrong credentials. Please let mw know how to clear the cache. It works if I relogin after some 5 secs of time.

Thanks in advance.. AJ

Answer 1

If you're using NSURLSession, invalidate the session and create a new one, e.g.:

[self.session invalidateAndCancel];
self.session = [NSURLSession sessionWithConfiguration:[NSURLSessionConfiguration defaultSessionConfiguration] delegate:self delegateQueue:nil];

This will clear session-scoped credentials.

Answer 2

If you use NSURLCredentialPersistenceForSession to create the credential then the app stores the credential for the entire session until the app is closed.

You can work around this by either:

• changing the url (like appending '#' to the end of the url)
• Use NSURLCredentialPersistenceNone and provide the credentials with each nsurlrequest
• Append auth info to the url (http://username:password@mywebsite.com), instead of using creds

• Append auth info to the request header, instead of using creds

  //Pseudo code for appending to header:
  NSString *authString = [NSString stringWithFormat:@"%@:%@", self.loginCreds.username, self.loginCreds.password];
  NSData *stringData = [authString dataUsingEncoding:NSUTF8StringEncoding];
  authString = [NSString stringWithFormat:@"Basic %@", [stringData base64EncodedString]];
  
  [[self requestHeader] setValue:authString forHTTPHeaderField:@"Authorization"];
  

It's possible to remove the credential but it can take minutes before it is actually removed. However, I don't remember how its done.. It's either done the way you mentioned in the question or through the keychain.

Answer 3

I had the same issue and I tried clear the credential storage, cookies associated with url and even trying to reset the session but nothing seemed to work, finally I just resorted to adding a a random query string value to the end of the url and that did the trick for me

// Random number calculated.
NSInteger randomNumber = arc4random() % 16;

NSURL* apiURL = [NSURL URLWithString:@"https://localhost/api/"];

[[RKObjectManager sharedManager] getObjectsAtPath:[NSString stringWithFormat:@"%@getUser?randomNumber=%d",apiURL,randomNumber]
                                       parameters:nil
                                          success:successBlock
                                          failure:failureBlock];

So instead of trying to remove current cached credentials (which seemed impossible) just use a "fresh" url so there aren't any cached objects associated with it.

Answer 4

I was facing the same problem, now it works.

Using NSURLConnection this issue can be fixed easily by adding a random number to the end of the URL:

So, search for your URLRequest and append the random number to URLRequest

NSInteger randomNumber = arc4random() % 999;
NSString *requestURL = [NSString stringWithFormat:@"%@?cache=%ld",yourURL,(long)randomNumber];

NSURL *URLRequest = [NSURL URLWithString:requestURL];

And make sure you have a random number at the end of all URLs you are calling.