1

I'm wondering that NSURLRequest with .returnCacheDataElseLoad/.returnCacheDataDontLoad cache policy ignores basic authorization. So the following scenario works incorrectly:

  • Set up URL cache policy to use local cache prior to requesting to server
  • Make fresh request with good credentials and receive success response
  • Switch to offline
  • Make request with previous URL but incorrect authorization credentials
  • Watch that the second request with incorrect credentials successes

Overall this bug allows to sign in for anyone if offline mode in the app is implemented via iOS system cache.

Is anybody familiar with this issue? It happens at least on iOS 10. I'm looking how to fix it in gently manner.

brigadir
  • 6,123
  • 4
  • 44
  • 76

1 Answers1

1

This is expected behavior. NSURLCache caches based solely on the URL itself, not based on any other aspect of the request. Headers, POST body, etc. are not taken into account, IIRC. (I could be forgetting some part that isn't ignored, but either way, credentials are.)

If you want to make your app support multiple user accounts with different views into the server-side data, you need to use a separate cache for each user, and you need to check the authentication credentials on the client side somehow. (This is, in and of itself, probably a mistake, BTW, as it means that the client and server can get out of sync in terms of their notion of the current password.)

dgatwood
  • 9,519
  • 1
  • 24
  • 48