NSURLConnection will cache credentials. Here is an approach to find and erase specific credentials (so you are challenged again):

Is it possible to prevent an NSURLRequest from caching data or remove cached data following a request?

Hope that works for you, Steve

You have to do following steps to close session completely.

1. Remove all cookies
2. Remove all credentials
3. NSURLCredentialPersistence should be NSURLCredentialPersistenceNone

Unfortunately, there is currently no easy way of doing what you asked for:

Apple informative explanation: TLS Session Cache

Open Radar bug request: No way to clear TLS Cache with NSURLConnection

Solved!

It turns out that NSURLConnection was actually behaving correctly - that is, didReceiveAuthenticationChallenge: was being called for every authentication challenge.

The problem was that the server was not sending challenges after the first one. This turned out to be because the server was setting a cookie.

You can force a new challenge by simply deleting the cookie. Because there are no other useful cookies for this server, I just delete all of them:

- (void)clearCookiesForURL {
    NSHTTPCookieStorage *cookieStorage = [NSHTTPCookieStorage sharedHTTPCookieStorage];
    NSArray *cookies = [cookieStorage cookiesForURL:_URL];
    for (NSHTTPCookie *cookie in cookies) {
        NSLog(@"Deleting cookie for domain: %@", [cookie domain]);
        [cookieStorage deleteCookie:cookie];
    }
}