I discovered yesterday that the networking layer of our library, which talks to a REST API, is sending every request twice when the server uses HTTP Basic auth. This obviously reduces performance, especially over high-latency cellular networks. It’s especially bad when we send a POST or PUT request with a large body (like a media attachment), because the body will get sent at full speed until the server responds, and then it gets sent again.
The sequence of events looks like: 1. I start an NSURLSessionTask. 2. CFNetwork sends request with no Authorization: header 3. Server of course responds with a 401 and `WWW-Authenticate: Basic…` 4. My task’s delegate gets an auth challenge. I return an NSURLCredential with a username and password 5. CFNetwork resends the request 6. This time the server accepts it I would expect this to happen for the first request sent to this server, but it happens on _every_ request (and I’ve got HTTPScoop logs to prove it.) This goes against my understanding of the way HTTP auth is supposed to work, and the way I’ve seen it work in the past: after the initial auth challenge, the client should proactively include credentials in each request to the same server/realm. As RFC7235 says, "If a request is authenticated and a realm specified, the same credentials are presumed to be valid for all other requests within this realm." I’ve tried varying the way my auth callback behaves, the persistence of the NSURLCredentials, and the properties of the NSURLSessionConfiguration, but nothing changes this behavior. (It also happens with NSURLConnection.) Right now I’m testing this on Mac OS X 10.11.4, with an HTTP server on localhost, but evidence shows that this also happens on iOS and with remote servers. —Jens _______________________________________________ Do not post admin requests to the list. They will be ignored. Macnetworkprog mailing list (Macnetworkprog@lists.apple.com) Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/macnetworkprog/archive%40mail-archive.com This email sent to arch...@mail-archive.com
