Thanks for pointing me in the right direction.

I managed to kill my existing authorisation credentials by throwing a 
401 unauthorised header at IE.

Just in case anybody else is interested here is the basic layout of the 
code I used(I did format it but that might have got lost, apologies if 
it has):

logout.php
<?
session_start();
$_SESSION=array();
$_SESSION['LoggedOut']='TRUE';
?>

login.php
session_start();
//Start by assuming user is not logged in.
$UserAuthenticated = false;
//Check that user has input login credentials.
if ($_SESSION['LoggedOut']=='TRUE')
{
        header('WWW-Authenticate: Basic realm="www.ninemil.com"');
        header('HTTP/1.1 401 Unauthorized');
        $_SESSION['LoggedOut']='FALSE';
        exit;
}
else if (isset($_SERVER['PHP_AUTH_USER']) && 
isset($_SERVER['PHP_AUTH_PW']))
{
        //Compare login credentials to data in database and see if they are 
valid.
        //See if the data check was successful
        $num = mysql_numrows($UserQuery);
        if ($num!=0)
        {
                //Set the session information to be used while logged in here.
                //Make sure code knows that user has been authenticated.
                $UserAuthenticated = true;
        }
}
if (!$UserAuthenticated)
{
        //If user authentication has failed display error page.
        header('WWW-Authenticate: Basic realm="Realm Name"');
        header('HTTP/1.1 401 Unauthorized');
        //redirect to error page
        exit;
}
else
{
        //Redirect to default restricted area page for logged in users
}


"[EMAIL PROTECTED]" <[EMAIL PROTECTED]> wrote in message 
news:[EMAIL PROTECTED]:
> > From: "Mark Collin" <[EMAIL PROTECTED]>
> >
> > Does anybody have any ideas on how I can prevent caching of
> > $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'], or clear them?
>
> You can't clear them; they're sent by the browser. It'll keep resending
> the same values and you're script will authenticate. Only way to get rid of
> it is to close the browser.
>
> You could attempt to force the user to log with a known bad username and
> password by using a link or header redirect.
>
> header('Location: http://username:[EMAIL PROTECTED]');
>
> Your login script should check for these known values and can react
> accordingly. You know they are bad, so you can either present them with
> another dialog to log back in or you can just not send any authentication
> headers and show them a "successfully logged out" page.
>
> ---John Holmes...

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to