I do understand how this works.  Yea the browser caches the 
information and returns it each time. I was tryiung to find a way to 
clear this cache.  (seems to be a failure in current browsers that 
there is no command for this)  Or have a system so that a cookie 
can be created that forces a change.  The problem I have with the 
cookie solution is that cookies only seem to change if the page is 
fully loaded.  I can rejject the login and make them reinter the 
userid.password if a cookie is set.  But I then can't erase the cookie.  
Once it is set the user id and password never will work again until 
the browser exits.

> Ray Todd Stevens wrote:
> >I am working on a web site that is using php controled www-
> >authenticate authentication.  User ids are specific to users and
> >different pages and different levels of information for a given page
> >will be displayed based on the user id used.  The problem is how do
> >you log out without having to quit all browser sessions.
> >
> HTTP authentication is a protocol-level mechanism that is outside of
> PHP. Though PHP gives you some control over the HTTP response (the
> message from the Web server to the Web client), it cannot grant you
> control of future HTTP requests (messages from the Web client to the
> Web server), which is what you are wanting to do.
> You see, there is no such thing as "logging out" with HTTP 
> authentication (because you are never exactly logged in); every HTTP
> request must include the authentication credentials. Because most
> browsers will save this information rather than prompting for it for
> every request, it can appear as if you are "logged in" until the
> browser session is destroyed, but that's not actually how it works.
> So, in case I did not explain that well, whether the Web browser
> returns the HTTP authentication credentials in future requests is
> entirely up to the Web browser and is thus a browser configuration
> issue. However, I'm not aware (someone feel free to correct me) of any
> browsers that allow you to turn off this caching behavior with regards
> to HTTP authentication anyway, so you will have no option other than
> to end the browser session.
> That's not the answer you are wanting, but might I suggest you look
> into writing your own access restriction logic in PHP rather than
> using HTTP authentication. This is what most developers choose, and it
> will give you far more flexibility and security.
> Happy hacking.
> Chris

Ray Todd Stevens     Specialists in Network and Security 
Senior Consultant    Software audit service available
Stevens Services
Suite 21
3754 Old State Rd 37 N
Bedford, IN 47421
(812) 279-9394

Thought for the day:
    Concerto (n): a fight between a piano and a pianist.

For PGP public key send message with subject 
please send PGP key

If this message refers to an attachment the attachment
may arrive as a seperate mail message depending on the
type of mail client and gateway software you are using.

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to