On 27/08/13 15:37, Jim Giner wrote:
I"m using basic auth for a few of my pages that I want to limit access
to - nothing of a sensitive nature, but simply want to limit access to.
  Want to implement a signoff process, but can't figure it out.

 From the comments in the manual I take it one can't do this by simply
unsetting the PHP_AUTH_USER and _PW vars.  Can someone explain to me why
this doesn't suffice?  The signon process expects them to be there, so
when they are not (after the 'unset'), how come my signon process still
detects them and their values?

Hello Jim,

at the risk of under-estimating your knowledge (and over-estimating mine) of HTTP-requests in PHP - but here it goes.

I see two options of bypassing the JavaScript option.

The first one is to use the default authorization, and error pages of your HTTP server. (For example, in Apache: http://httpd.apache.org/docs/2.2/custom-error.html)
This is for a login with invalid credentials.
For some-one to leave the protected site, a HTTP-request without credentials, and to a URI outside the protected domain, should do (as every HTTP request into the protected domain should repeat the Authorisation header).

The second one is to leave header(), and go down one level, to the likes of fsockopen() or stream_socket_server() - though personally, I've only limited knowledge of a bit of client-side programming.

Unless I've completely misunderstood your question,
Hope this helps,


PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to