My desktop app connects to a web application that’s hosted on Google App engine. Once it authenticates it gets an authtoken cookie that it passes along for all future requests. That all works.

But now I want to add “Sign out”. I’ve tried to implement Sign Out like this:

- (void)signOut {
    NSHTTPCookieStorage *cookieStorage = [NSHTTPCookieStorage sharedHTTPCookieStorage];
    for (NSHTTPCookie *each in [[[cookieStorage cookiesForURL:[NSURL URLWithString:self.serviceRootURLString]] copy] autorelease]) {
        [cookieStorage deleteCookie:each];
    }
    [self clearCredentialStorage];
}

The problem is that it only seems to work the first time. For instance I can open my app. Sign in. Make some requests. Sign out. Then next time I make a request I’m asked to authenticate again. Good!

But after I authenticate the second time the problem happens. The authentication works. I get the authtoken cookie. I can make requests. But then when I try to log out for the second time (without restarting my app) the authtoken cookie doesn’t seem to get deleted. It does seem deleted from my apps perspective… I ask NSHTTPCookieStorage for the cookies that it has my URL and it returns none. But if I try to make another request (that should require the authtoken cookie) the request just works, I don’t get a 401 response and I’m never asked to authenticate again.

So if I’m understanding things correctly it seems that the cookies are deleted from my perspective, but they are not deleted from the underlying URL loading frameworks perspective.

Of possible interest, maybe the problem is related to: http://www.macworld.com/article/143343/2009/10/safaricookieproblems.html

Does anyone know how to consistently implement “log out” functionality in an app that interacts with a web service?

Thanks,
Jesse