Thanks for pointing me in the right direction.
I managed to kill my existing authorisation credentials by throwing a
401 unauthorised header at IE.
Just in case anybody else is interested here is the basic layout of the
code I used(I did format it but that might have got lost, apologies if
it has):
logout.php
<?
session_start();
$_SESSION=array();
$_SESSION['LoggedOut']='TRUE';
?>
login.php
session_start();
//Start by assuming user is not logged in.
$UserAuthenticated = false;
//Check that user has input login credentials.
if ($_SESSION['LoggedOut']=='TRUE')
{
header('WWW-Authenticate: Basic realm="www.ninemil.com"');
header('HTTP/1.1 401 Unauthorized');
$_SESSION['LoggedOut']='FALSE';
exit;
}
else if (isset($_SERVER['PHP_AUTH_USER']) &&
isset($_SERVER['PHP_AUTH_PW']))
{
//Compare login credentials to data in database and see if they are
valid.
//See if the data check was successful
$num = mysql_numrows($UserQuery);
if ($num!=0)
{
//Set the session information to be used while logged in here.
//Make sure code knows that user has been authenticated.
$UserAuthenticated = true;
}
}
if (!$UserAuthenticated)
{
//If user authentication has failed display error page.
header('WWW-Authenticate: Basic realm="Realm Name"');
header('HTTP/1.1 401 Unauthorized');
//redirect to error page
exit;
}
else
{
//Redirect to default restricted area page for logged in users
}
"[EMAIL PROTECTED]" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]:
> > From: "Mark Collin" <[EMAIL PROTECTED]>
> >
> > Does anybody have any ideas on how I can prevent caching of
> > $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'], or clear them?
>
> You can't clear them; they're sent by the browser. It'll keep resending
> the same values and you're script will authenticate. Only way to get rid of
> it is to close the browser.
>
> You could attempt to force the user to log with a known bad username and
> password by using a link or header redirect.
>
> header('Location: http://username:[EMAIL PROTECTED]');
>
> Your login script should check for these known values and can react
> accordingly. You know they are bad, so you can either present them with
> another dialog to log back in or you can just not send any authentication
> headers and show them a "successfully logged out" page.
>
> ---John Holmes...
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
