There has been considerable discussion about this in the past, check the archive.
Changing realm doesn't help, because the browser remembers passwords by realm.
You really do have to have session control.
[EMAIL PROTECTED] wrote:
> > >password as expected. It all works. However, my customer has asked for
> > either a
> > >timeout, a [Logout] button, or both so that the browser basically
> > 'forgets' the
> > >user id. This would then remove the requirement for the user to close down
> > the
> > >browser when they leave their system.
> >
> > Exactly. The Basic Authentication scheme requires that the username and
> > password be sent with each request; most browsers store this information
> > after it has been entered once, and hang onto it until they are closed down.
>
> The way I've done this in the past is to have a logout button
> that loads a page that's password-protected under another realm.
> It's kind of suboptimal, but it might serve as a starting point.
