views:

3313

answers:

4

Possible Duplicate:
HTTP authentication logout via PHP

Hi

I have a some functionality on my website protected using .htaccess and .htpasswd. When users attempt to access this, they get prompt to enter details. They enter their details and get in and can see stuff etc. All works fine.

My question is how do I create a logout functionality for this type of authentication. I know that they can close the browser window to "Logout". But this is not ideal. What would you suggest to me?

Thanks.

+10  A: 
Ludwig Weinzierl
Ah, I see .. thanks.
Wbdvlpr
+2  A: 

It is only possible in firefox. What you do is send the user to http://logout:[email protected]/logout. This will replace their current username/password and since they now have the wrong username/password, they can't do anything. On opera this does not work, because you can have several usernames/passwords at the same time. It didn't work on IE either, because IE does not appear to support http://username:[email protected] URLs.

Marius
+1  A: 

It IS kind of possible to log out. You should implement logout page, which will return HTTP 401, until the user enter BAD login information, and then redirect somewhere else. Browser remembers the latest login information accepted, and therefore overrides correct login.

But this is kinda unusable, cos it needs user's cooperation.

Yossarian
A: 

I ran into this issue several years ago. It is incredibly frustrating to discover there is a problem everyone is having and no one seems to want to solve in a general way.

As noted in Inadequate Logout functionality in HTTP Authentication I think the answer is to change the RFC to allow timeouts and support a log out button. The author's additional suggestion that the server be able to send a "log out" header would actually eliminate the need for any client user agent support since websites could simply include a link on a web page to a URL that returns the necessary response code and/or header to invalidate the current session.

Grant Wagner