With version 3 of the Twitter SDK for iOS, it is impossible to completely log out the first user that logs in due to SFSafariViewController caching their session credentials.
Because the ability to force login through the UIWebView with TWTRLoginMethod has been removed in this version of the SDK, it has completely broken our apps. Most of our applications are used in a kiosk mode so we are particularly sensitive to this change since we almost never want sessions to persist between uses.
The bug is persistent in our app with the following workflow:
- We call
logInWithCompletion to log in User A
- They finish interacting with our app and we call
logOutUserId to log them out
-
User B attempts to use our app and we call
logInWithCompletion again
- The modal appears briefly and then displays “Redirecting you back to the application”
-
User B never sees a login screen and instead they are signed in as User A
- Until the phone is physically restarted users are always logged in as User A since they happened to be the first person to login.
When using the logInWithCompletion method the SFSafariViewController is always used for the first user authenticated. This means that if I’m logging out User A after interacting with Twitter it will always use this method. However, the session cookies for User A are retained since SFSafariViewController is sandboxed on the system level. This means that User A is remembered and automatically logged in when User B tries to login even though I’ve logged out User A manually with logOutUserID. I have to physically restart the device to get this cookie cleared and there’s no way to clear the session manually since SFSafariViewController is sandboxed at the system level.
The only way to get around this is to never log out users in my application. This forces UIWebView behavior for everyone after User A and ensures that the User A is not logged in automatically. However, the side effect of this behavior is that the User A’s username is pre-filled when User B goes to login which is disconcerting for our particular use-case.
Additionally, the SFSafariViewController method adds extra controls at the bottom allowing the user to trigger the share dialogue or open the login page in the installed browser–effectively breaking kiosk mode in our application.
Ideally, it would be great if we could simply force login through UIWebView as we’ve previously been able to do. At the very least it is critical that the bug we’re seeing here gets addressed since it’s completely broken critical functionality for all our apps.
Thanks for your time!
