At 18:04 27.11.2002, 1LT John W. Holmes spoke out and said: --------------------[snip]-------------------- >I'm surprised that is actually working, since you never register $auth into >the session. --------------------[snip]--------------------
Nothing to do with session... Here PHP_AUTH is used, so once logged in the browser always transmits the realm's auth info. The script is constantly looking up the database. Some kind of overkill... and also a drawback in using the HTTP/Auth method. You cannot keep the browser from transmitting auth info for the same realm. If PHP_AUTH is to be used I'd suggest using a dynamic realm to keep the browser from auto-logging in, some kind of this: if (!$_SESSION['authorized'] && isset( $PHP_AUTH_USER ) && isset($PHP_AUTH_PW)) { // do the database lookup here, if successful: $_SESSION['authorized'] = true; } } // no "else" here! if (!$_SESSION['authorized']) { $realm = date('Y/M/d H:i:s'); header('WWW-Authenticate: ' . 'Basic realm="Pushpinder Singh\'s World ' . "($realm)"); header( 'HTTP/1.0 401 Unauthorized' ); echo 'Authorization Required.'; exit; } Do not destroy the session upon logout, just unset the auth variable: unset($_SESSION['authorized']); This will create a "unique" realm due to the use of date/time, so when the user logs off he will be presented with a 401 response, even if the browser has cached the login info from the previous login attempt. Another realm, another game. Disclaimer: untested, as usual. -- >O Ernest E. Vogelsinger (\) ICQ #13394035 ^ http://www.vogelsinger.at/