[BUG] Unable to completely log out the very first user

ios
bug
twitterkit

#1

With version 3 of the Twitter SDK for iOS, it is impossible to completely log out the first user that logs in due to SFSafariViewController caching their session credentials.

Because the ability to force login through the UIWebView with TWTRLoginMethod has been removed in this version of the SDK, it has completely broken our apps. Most of our applications are used in a kiosk mode so we are particularly sensitive to this change since we almost never want sessions to persist between uses.

The bug is persistent in our app with the following workflow:

  • We call logInWithCompletion to log in User A
  • They finish interacting with our app and we call logOutUserId to log them out
  • User B attempts to use our app and we call logInWithCompletion again
  • The modal appears briefly and then displays “Redirecting you back to the application”
  • User B never sees a login screen and instead they are signed in as User A
  • Until the phone is physically restarted users are always logged in as User A since they happened to be the first person to login.

When using the logInWithCompletion method the SFSafariViewController is always used for the first user authenticated. This means that if I’m logging out User A after interacting with Twitter it will always use this method. However, the session cookies for User A are retained since SFSafariViewController is sandboxed on the system level. This means that User A is remembered and automatically logged in when User B tries to login even though I’ve logged out User A manually with logOutUserID. I have to physically restart the device to get this cookie cleared and there’s no way to clear the session manually since SFSafariViewController is sandboxed at the system level.

The only way to get around this is to never log out users in my application. This forces UIWebView behavior for everyone after User A and ensures that the User A is not logged in automatically. However, the side effect of this behavior is that the User A’s username is pre-filled when User B goes to login which is disconcerting for our particular use-case.

Additionally, the SFSafariViewController method adds extra controls at the bottom allowing the user to trigger the share dialogue or open the login page in the installed browser–effectively breaking kiosk mode in our application.

Ideally, it would be great if we could simply force login through UIWebView as we’ve previously been able to do. At the very least it is critical that the bug we’re seeing here gets addressed since it’s completely broken critical functionality for all our apps.

Thanks for your time!


#2

Any update or proposed workaround for this issue in TwitterKit 3?


#3

Hi @albertcmartin The next version of TwitterKit should help fix this issue!


#4

@RajulArora Thanks for the reply! Any ETA for the new version?


#5

Hey @albertcmartin, we just released a new version of TwitterKit 3.1.1 which should help with web based authentication! Please let me know if that fixes the issue for you.


#6

Running 3.1.1 and this bug is still not fixed. The first user remains logged in even with an explicit call to log them out. Here’s a condensed snipped:

TWTRSessionStore *store = [[Twitter sharedInstance] sessionStore];
NSString *userID = store.session.userID;
[store logOutUserID:userID];

[[Twitter sharedInstance] logInWithCompletion:^(TWTRSession *session, NSError *error) {
  NSLog(@"%@", session);

First time, user is prompted for their username and password. Once they finish and the second user attempts to login, the login screen is skipped and they see the avatar of the first user with a message “Authorize [app] to use your account?”


#7

Also, the web dialogue still has both Share and Open in Safari buttons in the top right of the screen which defeats the purpose of having a modal login. Users should not be able to exit our application since it is in kiosk mode.