You don't unset the variable.  The variable comes from your browser
sending an Authenticate http request header, so as long as the browser
sends this header, the variable is going to get created.  The way to unset
it is then to stop the browser from sending this Authenticate header.

Currently there is no way to tell a browser to not send this header
cleanly.  Sending a 401 is the only way, but as you mentioned that pops up
the login button.  So basically you will have to layer some additional
mechanism on top of the http auth system to achieve what you want.


 On Wed, 8 May 2002, Mark Virtue wrote:

> I'm having a devil of a time trying to "unset" the built-in global
> $PHP_AUTH_USER.  My aim is to have a "logout" button.
> Obviously the first thing to try is unset($PHP_AUTH_USER).  No good -
> when I refresh the page it's back.
> Then I tried unset($_SERVER['PHP_AUTH_USER']) - same deal.  I also tried
> session_destroy() and unset($_COOKIE[session_name()]).  All failed - as
> soon as I refresh the page, the $PHP_AUTH_USER value is restored.
> I heard that if you send the header lines:
>     Header('WWW-Authenticate: Basic realm="My Realm"');
>     Header("HTTP/1.0 401 Unauthorized");
> ...then the browser clear its authentication cache (and the value is
> forgotten), but those lines also cause that username/password dialog to
> pop up.  That's not what I want.  I want logout functionality, not log
> in again functionality.
> Anyone know how to make the value of $PHP_AUTH_USER get completely
> forgotten via a couple of simple lines of code?  It should be easy - how
> many sites out there do you see with a "log out" button?
> Mark.
> P.S.  The logout facility in phpMyAdmin has problems - it's actually a
> "relogin" facility, and if you supply the same username and password you
> don't get logged in.

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to