• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
CFNetwork is not adding Authorization: headers proactively
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CFNetwork is not adding Authorization: headers proactively

  • Subject: CFNetwork is not adding Authorization: headers proactively
  • From: Jens Alfke <email@hidden>
  • Date: Thu, 18 Feb 2016 11:32:56 -0800
I discovered yesterday that the networking layer of our library, which talks to a REST API, is sending every request twice when the server uses HTTP Basic auth. This obviously reduces performance, especially over high-latency cellular networks. It’s especially bad when we send a POST or PUT request with a large body (like a media attachment), because the body will get sent at full speed until the server responds, and then it gets sent again.

The sequence of events looks like:

1. I start an NSURLSessionTask.
2. CFNetwork sends request with no Authorization: header
3. Server of course responds with a 401 and `WWW-Authenticate: Basic…`
4. My task’s delegate gets an auth challenge. I return an NSURLCredential with a username and password
5. CFNetwork resends the request
6. This time the server accepts it

I would expect this to happen for the first request sent to this server, but it happens on _every_ request (and I’ve got HTTPScoop logs to prove it.) This goes against my understanding of the way HTTP auth is supposed to work, and the way I’ve seen it work in the past: after the initial auth challenge, the client should proactively include credentials in each request to the same server/realm. As RFC7235 says, "If a request is authenticated and a realm specified, the same credentials are presumed to be valid for all other requests within this realm."

I’ve tried varying the way my auth callback behaves, the persistence of the NSURLCredentials, and the properties of the NSURLSessionConfiguration, but nothing changes this behavior. (It also happens with NSURLConnection.)

Right now I’m testing this on Mac OS X 10.11.4, with an HTTP server on localhost, but evidence shows that this also happens on iOS and with remote servers.

—Jens
 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Follow-Ups:
    • Re: CFNetwork is not adding Authorization: headers proactively
      • From: Wim Lewis <email@hidden>
    • Re: CFNetwork is not adding Authorization: headers proactively
      • From: "Quinn \"The Eskimo!\"" <email@hidden>
  • Prev by Date: Re: HTTP/2 support?
  • Next by Date: Re: CFNetwork is not adding Authorization: headers proactively
  • Previous by thread: Re: HTTP/2 support?
  • Next by thread: Re: CFNetwork is not adding Authorization: headers proactively
  • Index(es):
    • Date
    • Thread