I looked at how phpMyAdmin did it, and came up with this. 1) Put this at the top of your main page:
// this handles the log out if (isset($PHP_AUTH_USER) && $old_usr == $PHP_AUTH_USER) { header('WWW-Authenticate: Basic realm="Your Protected Area Name"'); header('HTTP/1.0 401 Unauthorized'); echo '<html><body>This area requires authentication. If you are trying to log in and out as the same user, <A HREF="http://your_main_log_in_page">click here</A>.</body></html>'; exit; } else { 2) End the else at the bottom of your main page ( put in the ending }). 3) Add a link to log out, like this: <A HREF="http://your_main_log_in_page?old_usr=<?= $PHP_AUTH_USER?>">Log out</A> That seems to work the way phpMyAdmin does, which I think is snazzy! HTH, Peter Janett New Media One Web Services ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ New Upgrades Are Now Live!!! Windows 2000 accounts - Cold Fusion 5.0 and Imail 7.1 Sun Solaris (UNIX) accounts - PHP 4.1.2, mod_perl/1.25, Stronghold/3.0 (Apache/1.3.22), MySQL 3.23.43 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ PostgreSQL coming soon! http://www.newmediaone.net [EMAIL PROTECTED] (303)828-9882 ----- Original Message ----- From: "Ray Todd Stevens" <[EMAIL PROTECTED]> To: "Chris Shiflett" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Sunday, July 28, 2002 10:16 PM Subject: Re: [PHP] Logging out with authentication > I do understand how this works. Yea the browser caches the > information and returns it each time. I was tryiung to find a way to > clear this cache. (seems to be a failure in current browsers that > there is no command for this) Or have a system so that a cookie > can be created that forces a change. The problem I have with the > cookie solution is that cookies only seem to change if the page is > fully loaded. I can rejject the login and make them reinter the > userid.password if a cookie is set. But I then can't erase the cookie. > Once it is set the user id and password never will work again until > the browser exits. > > > Ray Todd Stevens wrote: > > > > >I am working on a web site that is using php controled www- > > >authenticate authentication. User ids are specific to users and > > >different pages and different levels of information for a given page > > >will be displayed based on the user id used. The problem is how do > > >you log out without having to quit all browser sessions. > > > > > > > HTTP authentication is a protocol-level mechanism that is outside of > > PHP. Though PHP gives you some control over the HTTP response (the > > message from the Web server to the Web client), it cannot grant you > > control of future HTTP requests (messages from the Web client to the > > Web server), which is what you are wanting to do. > > > > You see, there is no such thing as "logging out" with HTTP > > authentication (because you are never exactly logged in); every HTTP > > request must include the authentication credentials. Because most > > browsers will save this information rather than prompting for it for > > every request, it can appear as if you are "logged in" until the > > browser session is destroyed, but that's not actually how it works. > > > > So, in case I did not explain that well, whether the Web browser > > returns the HTTP authentication credentials in future requests is > > entirely up to the Web browser and is thus a browser configuration > > issue. However, I'm not aware (someone feel free to correct me) of any > > browsers that allow you to turn off this caching behavior with regards > > to HTTP authentication anyway, so you will have no option other than > > to end the browser session. > > > > That's not the answer you are wanting, but might I suggest you look > > into writing your own access restriction logic in PHP rather than > > using HTTP authentication. This is what most developers choose, and it > > will give you far more flexibility and security. > > > > Happy hacking. > > > > Chris > > > > > > > -------------------------------------------------------------------- > -------------- > Ray Todd Stevens Specialists in Network and Security > Consulting > Senior Consultant Software audit service available > Stevens Services > Suite 21 > 3754 Old State Rd 37 N > Bedford, IN 47421 > (812) 279-9394 > [EMAIL PROTECTED] > > Thought for the day: > Concerto (n): a fight between a piano and a pianist. > > > For PGP public key send message with subject > please send PGP key > > If this message refers to an attachment the attachment > may arrive as a seperate mail message depending on the > type of mail client and gateway software you are using. > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php