I have an app that communicates with a server that uses HTTP Digest authentication.
It seems to me that the 'session' management within the iPhone is pretty "black box" to us developers. Is it true that we can't see how the framework handles / persists http sessions?
If I'm just being dim here, would someone care to explain how to probably handle HTTP Digest authentication on the iPhone?
My basic run through is:
- Make a request to a secured url
- Server sends a 401
- client creates and persists a credential, and passes it back to the server
- server verifies credential, completes request if verified, sends another 401 if not.
- make a subsequent request to secure url
- server requests authorisation again........
This works for single requests, but if I make additional, subsequent requests, the server requests authorisation again. The server has persisted a session for the particular user, but the iPhone isn't making a request within the same session for some reason... Therefore, the server has to throw out the authentication object and create a new one each time the client makes a request to a secured url.
I'm sure this isn't correct behaviour.
If we look at how a browser behaves in this situation:
- Browser requests data from secure url
- server sends 401
- browser prompts user for credential, persists it, passes it to server
- server verifies credential, returning data if verified, sends another 401 if not.
- subsequent requests made to secure urls are not prompted for credentials because the browser manages the session.
I'm creating the NSURLCredential and persisting it within the NSURLCrendtialStorage. Then when the app receives the 'didReceiveAuthenticationChallenge' I retrieve the credential from the storage and pass it back, creating the credential if it doesn't exist (on the first request).
Any help would be greatly appreciated. Thanks.