HTTP Basic Authentication "Logout" with NSURLConnection

I am currently building an iPhone application which has to communicate with a RESTful web service. It uses HTTP Basic authentication to log into the system. All that works just fine. But! The trouble begins when you want to change the user while the application is running. How so? Well, with HTTP Basic authentication, you simply can't logout! Well, actually, that's not entirely true. The restrictions that Apache describes in their FAQ should only apply to browsers and are only present because browsers don't allow you to "forget" the HTTP Basic authentication credentials. Cocoa Touch provides you as a programmer with with all kinds of functionality to handle HTTP credentials. The problem is, that even when you remove these credentials the system somehow still remembers them. I could find no way to make it effectively forget the stored credentials. So how was I able to solve this problem? You probably won't believe it, but the solution was a hash. Yes, a simple # symbol! Let me explain this in a little more detail. When you set up an NSURLConnection, it's delegate receives different messages, for example connection:didReceiveAuthenticationChallenge:. This delegate method is called when the server you're talking to requests HTTP authentication. You simply provide the credentials and everyone is happy:

- (void)connection:(NSURLConnection *)connection didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge {
NSLog(@"got auth challange");

if ([challenge previousFailureCount] == 0) {
  [[challenge sender]  useCredential:[NSURLCredential credentialWithUser:[usernameTextField text] password:[passwordTextField text] persistence:NSURLCredentialPersistenceForSession] forAuthenticationChallenge:challenge];
} else {
  [[challenge sender] cancelAuthenticationChallenge:challenge];  
}
}

The persistence argument of the NSURLCredential constructor tells the system how to persist the credentials (D'uh!). NSURLCredentialPersistenceForSession means for the whole session, NSURLCredentialPersistencePermanent means permanently (will be saved in the keychain, but doesn't work in the iPhone simulator) and NSURLCredentialPersistenceNone SHOULD mean not at all. The problem is: it doesn't. When you specify NSURLCredentialPersistenceForSession the credentials are stored in [[NSURLCredentialStorage sharedCredentialStorage] allCredentials]. Naive as I am, I figured removing the credentials should prompt the connection:didReceiveAuthenticationChallenge: delegate method to be called again upon the next request:

// reset the credentials cache...
NSDictionary *credentialsDict = [[NSURLCredentialStorage sharedCredentialStorage] allCredentials];

if ([credentialsDict count] > 0) {
// the credentialsDict has NSURLProtectionSpace objs as keys and dicts of userName => NSURLCredential
NSEnumerator *protectionSpaceEnumerator = [credentialsDict keyEnumerator];
id urlProtectionSpace;

// iterate over all NSURLProtectionSpaces
while (urlProtectionSpace = [protectionSpaceEnumerator nextObject]) {
  NSEnumerator *userNameEnumerator = [[credentialsDict objectForKey:urlProtectionSpace] keyEnumerator];
  id userName;

  // iterate over all usernames for this protectionspace, which are the keys for the actual NSURLCredentials
  while (userName = [userNameEnumerator nextObject]) {
    NSURLCredential *cred = [[credentialsDict objectForKey:urlProtectionSpace] objectForKey:userName];
    NSLog(@"cred to be removed: %@", cred);
    [[NSURLCredentialStorage sharedCredentialStorage] removeCredential:cred forProtectionSpace:urlProtectionSpace];
  }
}
}

Of course, it didn't. I also tried setting the Authentication header directly on the request and setting up false default credentials in the hope that it would prompt another authentication challenge. All to no avail. So my last resort was this: I thought maybe adding a random different anchor to the end of the url on each request would prompt a new authentication challenge since it would always be a "different" URL. Turns out that I didn't even have to go that far: adding just a single "#" to the end of the URL did the trick! So instead of saying

[NSMutableURLRequest requestWithURL:[NSURL URLWithString:@"http://localhost:3000/something.json"]]

you say

[NSMutableURLRequest requestWithURL:[NSURL URLWithString:@"http://localhost:3000/something.json#"]]

Then it behaves exactly the way you want it to. With NSURLCredentialPersistenceNone it really calls the connection:didReceiveAuthenticationChallenge: on every request and with NSURLCredentialPersistenceForSession it stores it until you remove the credentials with the code posted above! So now HTTP Basic "logout" with NSURLConnection actually works! You can find the sample code here: http://gist.github.com/27421.

---

Comments