Closed vvbutko closed 1 year ago
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
Created using an incorrect GitHub account. Closing.
Summary
This PR modifies the cookie clearing behavior to make it more consistent with the behavior observed in the Gigya Android SDKs. Specifically, it removes the unexpected cookie clearing during the implicit initialization when a session has expired but the user has not logged out.
Motivation
We have encountered unexpected cookie clearing from the Gigya SDK during implicit initialization. This situation arises from the
SessionService.clearCookies()
method, which is invoked fromSessionService.startSessionCountdownTimerIfNeeded()
, whenif !session.isValid()
is true. The session is invalid because it has expired (GigyaSession.isValid()
returnsfalse
).In our view, device cookie clearing should occur upon logout, not when the session expires. This logic aligns with the Android SDK's behaviour, which we also use and where we do not encounter any issues. A comparative analysis of the iOS and Android SDKs has revealed this discrepancy.
It's worth noting that utilizing
Gigya.sharedInstance().setClearCookies(to: false)
does not solve the issue, as it only alters the behaviour after explicitinit
completion, while the unexpected clearing takes place during the "implicit"init
.Modifications
Below are the suggested modifications, along with references to the Android SDK for context.
1. Remove cookie clearing from session clearing.
The
SessionService.clearSession()
method is invoked when the session expires and should not clear the cookies.Android code reference:
SessionService.java
line 282. No cookie clearing is present during session clearing.2. Implement cookie clearing upon user logout.
The
BusinessApiService.logOut(completion:)
method should explicitly clear the cookies. Previously, logout triggeredsessionService.clear()
, which cleared cookies. However, this does not allow the separation of cookie clearing from session expiration. By moving the cookie clearing call directly toBusinessApiService
, we enforce it only upon user logout, eliminating the unexpected behaviour.Android code reference:
SessionService.java
line 294. The only instances where cookies can be cleared are fromclearCookiesOnLogout()
, which in turn is invoked from only two places:For the iOS SDK, both of these logout flows invoke
BusinessApiService.logOut(completion:)
, ensuring cookies will be cleared in all logout scenarios as expected.