reset http-auth with php

Question

Hi is there any way to tell Apache that it should restart the session and drop an existing http-auth?

I've a system where a user is first authenticated with http-auth against apache and afterwards authorized for services within the PHP-Application. Once the user logs out I'd prefer to also reset the existing http-auth somehow.

Any ideas?

Answer 1

Unfortunately, letting users log out was not defined in the various RFCs that cover HTTP auth.

The only way to simulate it is to return a 401 response, which will tell the browser that the credentials sent aren't valid. Unfortunately, the browser will then prompt the user to log back in again, and that probably isn't what you want to happen.

Answer 2

When a browser is authenticated using Http Basic Auth, it sends the valid authorization header to that server on all subsequent requests.

Example #8 in this manual entry shows a way to ask the browser to re-authenticate, though. It will only work if the browser respects that request, and you'll probably have to code up a way to enforce this the first time the user comes BACK after signing-out, instead of at the moment of signing-out. (Otherwise, they'll sign out and be immediately asked for credentials again.)

Answer 3

The common and most recommended method is:

• send a 401 Unauthorized
• ask for a different realm= with the WWW-Authenticate: header

But you can augment that with:

• trying to initiate both (401 + new realm) over an XmlHTTPRequest to a "fakelogout.php"
• acknowledge this request as a succeeding login -> that way the browser is more likely to drop the previous credentials