What to do in case onDemand is enabled, but connection is not allowed

I've implemented a VPN app with Packet Tunnel Provider for iOS and macOS.

During the conenction process, in addition to the username and the password, I'm also sending a cookie to my server.


Now I have this scenario: The user configured the VPN to be on-demand with a rule to always connect, and then he connected the VPN.

While the user is connected, some time passes, and then the cookie is expired. So my server shuts down the tunnel.

I'm recognizing this "expired cookie" error at the Extension, and I'm stopping the tunnel as well.


But because of the on-demand, the OS will call again to startTunnelWithOptions() and when it will fail (because of the expired cookie), it will call it again and again.

It will be solved only when the user will open the app, and do some action to get another cookie.


Is there a way to stop the onDemand from the Extension, even if the containing app is closed?

If no - is there another solution to this problem?


P.S - till now what I did was to display an alert to the user on those cases, but it's not a "complete" solution, and also it had some issuess. I opened another thread regarding this.

What to do in case onDemand is enabled, but connection is not allowed
 
 
Q