[luketheobscure]

"NSURLSession oh so helpfully auto-fucking-matically decided I would probably—no, definitely—want to send those cookies in every single request my app did after that. Forever and always."

I imagine it honors the "expires" property of cookies, it just probably wasn't set. Also there's an "ephemeralSessionConfiguration" you can use if you don't want to store the cookies. I enjoyed the article, up until the author blamed the framework for their own ignorance.

[joshsharp]

Sure, the cookies expire (in two weeks I think, in this case) but that doesn't invalidate the issue that the wkwebview silently shares cookies with nsurlsession, nor does it negate the confusing journey of tracking down the bug. Sheesh.

[spullara]

This is exactly what users want and you are basically breaking it by not honoring the cookies.

[orf]

This is exactly the thing users don't care a damn about.

[joshsharp]

We do not need to honour cookies when making requests to the API as we use token authentication. Even if we wanted to keep users logged in within the web view, which we don't because the web view is just for static help pages, we wouldn't want to send those to the API.

[eridius]

Then you should disable cookies on your API calls by setting the `httpCookieStorage` property of your URLSessionConfiguration to nil. You could also use an ephemeral configuration (which will preserve cookies set by the API in memory but won't share them with webviews), which may or may not be a good idea depending on if you're using this session for anything that should be cached to disk (e.g. downloading images).

[salgernon]

This is the correct answer and the reason that NSURLSession really came into existence - there is a need to partition behaviors between different frameworks and subsystems and the previous NSURLConnection model relied on a smattering of process global configuration options.

I'd be surprised if AFNetworking didn't also offer the ability to create a "private" NSURLSession with custom storage objects.

I'd also recommend looking into debugging these types of issues using, eg, Charles Proxy. There's more information on logging at:

https://developer.apple.com/library/content/qa/qa1887/_index...

See also:

https://developer.apple.com/videos/play/wwdc2013/705/

Disclaimer: NSURLSession contributor...

[Kiro]

Why would users want that?

[randomdata]

I think it is fair to say that the users don't really care as long as the implementation is done well, but if information about me is worth storing in a cookie (login information, perhaps), it is probably worth sending on all requests, even outside of the browser. If I've already logged in via the web browser, I don't want to have to login again to use your API (and vice versa). It seems like a sensible default. The server can always ignore the cookies if they are not needed.

[mattacular]

Something like that should at least be documented behavior of the framework. General purpose frameworks are not absolved of all guilt ipso facto... it is up to the developers who create them to provide a reasonable experience for the developers who use them as both tend to need one another.

[gumby]

Because they think that once they’ve logged on they are logged in and become annoyed if they hVe to do it again