Unable to completely log user out with TwitterKit

ios
fabric
auth
twitterkit

#1

I’ve read the docs on how sessions are managed with TwitterKit, but the behaviour I’m experiencing is still unexpected.

A user with all Safari website data cleared and no iOS Twitter accounts logs into our app using Twitter.sharedInstance().logInWithCompletion (uses TWTRLoginMethodAll). They then log out of our app. When logging I run the following code to try and remove credentials completely:

let twitterSessionStore = Twitter.sharedInstance().sessionStore
twitterSessionStore.reloadSessionStore()

for case let session as TWTRSession in twitterSessionStore.existingUserSessions()
{
	twitterSessionStore.logOutUserID(session.userID)
}

NSURLSession.sharedSession().resetWithCompletionHandler {}

let cookieStore = NSHTTPCookieStorage.sharedHTTPCookieStorage()
cookieStore.cookies?.forEach { cookieStore.deleteCookie($0) }

NSUserDefaults.standardUserDefaults().synchronize()

Once logged out, the user quits the app, deletes the newly created iOS Twitter account, and goes into iOS Safari settings and wipes website data again. They then ensure the user is not logged in on Twitter.com in Safari.

The user then relaunches the app and attempts to log in again using the above method. The user sees a modal view pop up but are then automatically redirected and logged in automatically.

How is this happening and where are the credentials being stored for them to automatically logged in!?

All local and Safari caches are cleared, iOS account deleted, and logout is called on each stored TwitterKit session. This should really be wiping everything, but it isn’t.

Please can someone advise. I don’t want to just use TWTRLoginMethodWebBasedForceLogin as that is not a great experience to force users to enter their password if they have an account already authenticated on the device. I’d like to know what is happening in this situation and why the credentials are not wiped properly when logOutUserID is called for each session.

Update: It would appear that even deleting our app and re-installing will automatically log you in, and hence remembers your credentials. How on earth could this be happening?!

I’m using Fabric 1.6.8 TwitterKit 2.4.0 TwitterCore 2.4.0


#2

Hey @mwaterfall,

It sounds like you’re seeing some odd things. The logOut method you’re calling should do the trick for your app itself, so I’m surprised it’s not happening. Could you share the Console output from when you’re logging out the user?

-Mike


#3

Hey Mike,

Yes very odd. I’m not seeing any console output related to Fabric or Twitter during the logOut method calls, even with Fabric.sharedSDK().debug = true. I can confirm that the sessionStore.logOutUserID(session.userID) method is being executed.

Can you advise?

Many thanks,

Michael


#4

Could you share the console output you are seeing?


#5

As mentioned, nothing is output to the console during logout. In fact, nothing is logged even when a user logs in via TwitterKit. The only Fabric/Twitter logs we see is when launching the app (version numbers etc) and when settings are downloaded. Are there any flags that need to be set to enable logging other than the Fabric shared SDK one?


#6

Sorry, if I was unclear. I was hoping to see the console log to gleen other information that may explain what’s going on. Can you enable debug mode to produce more console output and share the full log? If you’re hesitant to share it publicly, let me know.


#7

Hi Mike, as I mentioned in my first reply, I have enabled debug mode (Fabric.sharedSDK().debug = true) and sadly I am still not seeing any output during logout/login.


#8

Thanks again @mwaterfall and I appreciate your patience on this. We have been able to reproduce this internally and believe that there is an issue with Safari’s ViewController not clearing cookies. We’re going to file bug reports with Apple, but in the meantime, if remove the Safari View Controller, from TWTRLoginMethod enum in Twitter.h then you should be all set. More details on that, here: https://docs.fabric.io/apple/twitter/log-in-with-twitter.html#log-in-with-twitter about three paragraphs in.


#9

I’m still experiencing issues after modifying login methods. I have disabled web auth and only kept system accounts and forced web, and the issue still remains. Here is my login call:

Twitter.sharedInstance().logIn(withMethods: [.systemAccounts, .webBasedForceLogin])

After logging in once, then deleting my app, removing all system accounts and clearing all safari data, I install and launch the app. It pops up with a web view and it automatically redirects and logs me in.

The fix for this seems to be restarting the device. If I login in successfully, then log out, delete the system twitter account, restart the device, and then attempt to re-login, it correctly prompts me to login via the web interface. There seems to be no need to clear safari cache in this case.

If I just specify the force web as the only login method it works every time and always prompts me to log in. However that still populates the last username even after all the above cache clearing (unless the device is restarted).

So currently I’m unable to allow my users to re-login with another Twitter user without getting them to restart their device, which isn’t great. I obviously want to maintain the system account support for the convenience of the majority of users.

Have you heard from Apple regarding the bug report(s) you filed?


#10

Unfortunately we haven’t heard back from Apple yet on a resolution. I’m personally a bit curious though, how often have you heard from users wanting to log out of your app? In general, we’ve found once a user is logged in, they prefer to stay that way, so I’d love to hear your perspective on this.

-Mike


#11

i have’nt seen any enums in the twitter.h file ?
how can i do the work around you mentioned ?