Ray Todd Stevens wrote:

>I am working on a web site that is using php controled www-
>authenticate authentication.  User ids are specific to users and 
>different pages and different levels of information for a given page 
>will be displayed based on the user id used.  The problem is how do 
>you log out without having to quit all browser sessions.

HTTP authentication is a protocol-level mechanism that is outside of 
PHP. Though PHP gives you some control over the HTTP response (the 
message from the Web server to the Web client), it cannot grant you 
control of future HTTP requests (messages from the Web client to the Web 
server), which is what you are wanting to do.

You see, there is no such thing as "logging out" with HTTP 
authentication (because you are never exactly logged in); every HTTP 
request must include the authentication credentials. Because most 
browsers will save this information rather than prompting for it for 
every request, it can appear as if you are "logged in" until the browser 
session is destroyed, but that's not actually how it works.

So, in case I did not explain that well, whether the Web browser returns 
the HTTP authentication credentials in future requests is entirely up to 
the Web browser and is thus a browser configuration issue. However, I'm 
not aware (someone feel free to correct me) of any browsers that allow 
you to turn off this caching behavior with regards to HTTP 
authentication anyway, so you will have no option other than to end the 
browser session.

That's not the answer you are wanting, but might I suggest you look into 
writing your own access restriction logic in PHP rather than using HTTP 
authentication. This is what most developers choose, and it will give 
you far more flexibility and security.

Happy hacking.


PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to