I looked at how phpMyAdmin did it, and came up with this.

1) Put this at the top of your main page:

// this handles the log out
if (isset($PHP_AUTH_USER) && $old_usr == $PHP_AUTH_USER) {
 header('WWW-Authenticate: Basic realm="Your Protected Area Name"');
    header('HTTP/1.0 401 Unauthorized');
    echo '<html><body>This area requires authentication. If you are trying
log in and out as the same user,
<A HREF="http://your_main_log_in_page";>click here</A>.</body></html>';
} else {

2) End the else at the bottom of your main page ( put in the ending }).

3) Add a link to log out, like this:
<A HREF="http://your_main_log_in_page?old_usr=<?= $PHP_AUTH_USER?>">Log

That seems to work the way phpMyAdmin does, which I think is snazzy!


Peter Janett

New Media One Web Services
New Upgrades Are Now Live!!!
Windows 2000 accounts - Cold Fusion 5.0 and Imail 7.1
Sun Solaris (UNIX) accounts - PHP 4.1.2, mod_perl/1.25,
Stronghold/3.0 (Apache/1.3.22), MySQL 3.23.43
PostgreSQL coming soon!


----- Original Message -----
From: "Ray Todd Stevens" <[EMAIL PROTECTED]>
To: "Chris Shiflett" <[EMAIL PROTECTED]>
Sent: Sunday, July 28, 2002 10:16 PM
Subject: Re: [PHP] Logging out with authentication

> I do understand how this works.  Yea the browser caches the
> information and returns it each time. I was tryiung to find a way to
> clear this cache.  (seems to be a failure in current browsers that
> there is no command for this)  Or have a system so that a cookie
> can be created that forces a change.  The problem I have with the
> cookie solution is that cookies only seem to change if the page is
> fully loaded.  I can rejject the login and make them reinter the
> userid.password if a cookie is set.  But I then can't erase the cookie.
> Once it is set the user id and password never will work again until
> the browser exits.
> > Ray Todd Stevens wrote:
> >
> > >I am working on a web site that is using php controled www-
> > >authenticate authentication.  User ids are specific to users and
> > >different pages and different levels of information for a given page
> > >will be displayed based on the user id used.  The problem is how do
> > >you log out without having to quit all browser sessions.
> > >
> >
> > HTTP authentication is a protocol-level mechanism that is outside of
> > PHP. Though PHP gives you some control over the HTTP response (the
> > message from the Web server to the Web client), it cannot grant you
> > control of future HTTP requests (messages from the Web client to the
> > Web server), which is what you are wanting to do.
> >
> > You see, there is no such thing as "logging out" with HTTP
> > authentication (because you are never exactly logged in); every HTTP
> > request must include the authentication credentials. Because most
> > browsers will save this information rather than prompting for it for
> > every request, it can appear as if you are "logged in" until the
> > browser session is destroyed, but that's not actually how it works.
> >
> > So, in case I did not explain that well, whether the Web browser
> > returns the HTTP authentication credentials in future requests is
> > entirely up to the Web browser and is thus a browser configuration
> > issue. However, I'm not aware (someone feel free to correct me) of any
> > browsers that allow you to turn off this caching behavior with regards
> > to HTTP authentication anyway, so you will have no option other than
> > to end the browser session.
> >
> > That's not the answer you are wanting, but might I suggest you look
> > into writing your own access restriction logic in PHP rather than
> > using HTTP authentication. This is what most developers choose, and it
> > will give you far more flexibility and security.
> >
> > Happy hacking.
> >
> > Chris
> >
> >
> --------------------------------------------------------------------
> --------------
> Ray Todd Stevens     Specialists in Network and Security
> Consulting
> Senior Consultant    Software audit service available
> Stevens Services
> Suite 21
> 3754 Old State Rd 37 N
> Bedford, IN 47421
> (812) 279-9394
> Thought for the day:
>     Concerto (n): a fight between a piano and a pianist.
> For PGP public key send message with subject
> please send PGP key
> If this message refers to an attachment the attachment
> may arrive as a seperate mail message depending on the
> type of mail client and gateway software you are using.
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to