Hi Lee, The way that I do this is I combine PHP's sessions with mod_auth_kerb. I use mod_auth_kerb to protect only a single "login" or "session" URL, say, "/session/http". When the user successfully does Kerberos auth to Apache, I grab the REMOTE_USER variable as the user's login name, and store that in a PHP session.
The rest of the web application is not protected by mod_auth_kerb. I just rely on the PHP session to determine whether a user is logged in or not. To cause the user to log out, I just have to discard the PHP session in the application's code. This method also has the added bonus of loosely coupling Kerberos from your application. Kerberos can be just one of several available login mechanisms that you present to the user. The downside is that instead of simply checking REMOTE_USER everywhere, you now need to use PHP's session handling. Ideally, if you're using some sort of web application framework, the intricacies of session handling are abstracted away for you, and it's simple to register new sessions, "login" or "logout" a user, etc. - Ken On Tue, Mar 5, 2013 at 9:53 AM, Lee Eric <openlinuxsou...@gmail.com> wrote: > Hi, > > My site(Apache httpd + mod_auth_kerb) is using Kerberos as > authentication method and written by PHP. Is there possible that I can > use PHP codes like Logout to "cleat" Kerberos login credentials? Then > after page refresh user can input username/password again. > > I noticed that Firefox and Chrome can do this to clean active logins. > Just don't know how to do that. > > Here's my Kerberos configs in httpd. > > AuthType Kerberos > AuthName "Kerberos Login" > require valid-user > KrbMethodNegotiate On > KrbAuthRealms GARFIELD.INTERNAL > Krb5Keytab "/etc/httpd/httpd.keytab" > > Thanks. > > Eric > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos