Yes, Matt, you were right about tracking the authorized state with a
session. I actually thought about same thing: keeping a variable somewhere
which will help to decide whether to send those "Authenticate" headers or
not - just didn't realize you meant the same thing. :)

And a little excerpt from proving the point:
"HTTP Authentication has the addition problem that there is no mechanism
available to the server to cause the browser to 'logout'; that is, to
discard its stored credentials for the user. This presents a problem for any
web application that may be used from a shared user agent. Requests for how
to force 'logout' appear almost daily in the netnews html and cgi authoring
groups, and are one of the most common support questions received by Agranat
Systems from their customers developing embedded systems web interfaces."

Cheers, Stas

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to