scubak1w1 wrote:
""Michael A. Peters"" <> wrote in message
scubak1w1 wrote:
I have a series of web sites which use https:// authentication (using AD integration to 'check the credentials' as it were) - all seems to be working well..

I have been Googling et al. for a way to log the user off the site "fully"...

I can do a series of things on the server side per Dreamweaver's Server Behaviour / User Authentication | Log Out User, etc - but the client's browser cache (?) still keeps the credentials, and so ifthey return to the site (say, with their back button) they can get right back in...
Sounds like you are not properly expiring the session.
The only login credentials that ever should be stored with the client is a session id.

Expire the session id - and the session ID in their cookie becomes completely meaningless.

OK, I will go back and reread...

My understanding was that SSL aka https was taking care of the credential checking using, in our case, Active Directory user entries - and that PHP was just grabbing the UID from that source - for instance, what I do is:

//grab the logged on user, depending on whether they logged on with the domain prepended
  if(substr_count($_SERVER['REMOTE_USER'],"\\") != 0)
    //the logon has a domain prepended before the 'actual' UID
list($logged_on_domain, $logged_on_user) = split('\\\\', $_SERVER['REMOTE_USER']); //grab the logged on user off the IIS server variable/s, and split off the (presumed) "[domain]\" portion and essentially discard <--NOTE USE OF FOUR(4)backslashes as needs to be *double escaped*
//no domain (assume) prepended before the back slash, so just the 'actual' UID
    $logged_on_user = $_SERVER['REMOTE_USER'];

I can set $_SERVER['REMOTE_USER'] = 'baddomain\baduser' of course - but when I return to the secure page the user's browser cache (?) has reset $_SERVER['REMOTE_USER'] to be their previously logged on user name - so they are still logged in...

So maybe my "logging off" question is not really PHP-specific? Hmmm....

I will go back and reread various pages (paper and online) with your suggestion/s as the context - so thank you...

I don't know much about active directory but I thought one of the points of AD was to eliminate the need for a user to log in since they are already authenticated by the centralized AD system.

If you want to use active directory as the only user authentication method then as long as the browser sends the credentials it will verify and the user is logged in.

You could probably use password _in addition to_ active directory to authenticate a php session, allowing you increased security over just a session token (IE browser has to send valid php session AND active directory credentials) but if you want a user to have to login in addition to active directory credentials, use php sessions on your server, and upon succesful login w/ proper AD credentials set a session variable that says they are authenticated.

When they log out, unset the session variable that says they are logged in and expire the session. Then regardless of their AD credentials, they will have to log in again to be verified by the session system.

SSL doesn't do anything magic as far as user authentication is concerned, it simply provides a public/private key encryption so that (theoretically) only the browser can decrypt what the server sends and only the server can decrypt what the browser sends.

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to