I am trying to download app content from a password protected directory of a website served by Apache24. The directory is protected using the following configuration segment: <Directory "<directory path"> AuthType Basic AuthName "Restricted Content" AuthUserFile <password file path>.htpasswd Require valid-user </Directory> Here is my swift code (running on latest betas of iOS15 or macOS12) class Downloader: NSObject { lazy var downloadSession: URLSession = { // Setup configuration let configuration = URLSessionConfiguration.default configuration.allowsCellularAccess = true configuration.timeoutIntervalForResource = 60 configuration.waitsForConnectivity = true // Add authorisation header to handle credentials let user = "*****" let password = "******" let userPasswordData = "\(user):\(password)".data(using: .utf8) let base64EncodedCredential = userPasswordData!.base64EncodedString(options: Data.Base64EncodingOptions.init(rawValue: 0)) let authString = "Basic \(base64EncodedCredential)" // Add authorisation header to configuration //configuration.httpAdditionalHeaders = ["Authorization" : authString] return URLSession(configuration: configuration, delegate: self, delegateQueue: nil) }() // Download file using async/await func downloadAsync(subpath: String) async throws { let request = URLRequest(url: URL(string: "https://<server>/")!) let (data, response) = try await downloadSession.data(for: request) guard (response as? HTTPURLResponse)?.statusCode == 200 else { throw HTTPError.withIdentifier((response as! HTTPURLResponse).statusCode) } print(String(data: data, encoding: .utf8)) } } let downloader = Downloader() Task.init { do { try await downloader.downloadAsync(subpath: "<filename>") } catch { print("Unable to download file") } } As expected, if I run the code as is (with the authorisation header commented out) it does not download the file As expected, if I then uncomment the authorisation line, and run it again, it DOES download the file Here is the unexpected part (to me!): If I re-comment out the authorisation line, and run it again it STILL downloads the file This can be repeated for several minutes, before it finally refuses to download the file The issue occurs on both iOS and macOS There is a clear gap in my understanding here about what is going on, so my questions are: What is causing this behaviour? A session cookie on the client, or something on the server? Does it represented a security risk? (Could another client without credentials download the file shortly after a legitimate download) If the answer to 2 is YES, how do I stop it? Many thanks, Bill Aylward