Thanks for pointing me in the right direction. I managed to kill my existing authorisation credentials by throwing a 401 unauthorised header at IE.
Just in case anybody else is interested here is the basic layout of the code I used(I did format it but that might have got lost, apologies if it has): logout.php <? session_start(); $_SESSION=array(); $_SESSION['LoggedOut']='TRUE'; ?> login.php session_start(); //Start by assuming user is not logged in. $UserAuthenticated = false; //Check that user has input login credentials. if ($_SESSION['LoggedOut']=='TRUE') { header('WWW-Authenticate: Basic realm="www.ninemil.com"'); header('HTTP/1.1 401 Unauthorized'); $_SESSION['LoggedOut']='FALSE'; exit; } else if (isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW'])) { //Compare login credentials to data in database and see if they are valid. //See if the data check was successful $num = mysql_numrows($UserQuery); if ($num!=0) { //Set the session information to be used while logged in here. //Make sure code knows that user has been authenticated. $UserAuthenticated = true; } } if (!$UserAuthenticated) { //If user authentication has failed display error page. header('WWW-Authenticate: Basic realm="Realm Name"'); header('HTTP/1.1 401 Unauthorized'); //redirect to error page exit; } else { //Redirect to default restricted area page for logged in users } "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]: > > From: "Mark Collin" <[EMAIL PROTECTED]> > > > > Does anybody have any ideas on how I can prevent caching of > > $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'], or clear them? > > You can't clear them; they're sent by the browser. It'll keep resending > the same values and you're script will authenticate. Only way to get rid of > it is to close the browser. > > You could attempt to force the user to log with a known bad username and > password by using a link or header redirect. > > header('Location: http://username:[EMAIL PROTECTED]'); > > Your login script should check for these known values and can react > accordingly. You know they are bad, so you can either present them with > another dialog to log back in or you can just not send any authentication > headers and show them a "successfully logged out" page. > > ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php