Geoffrey Young wrote: > > Matthieu FEREYRE wrote: >> I use a basic authentification (Apache2::Access) wich works fine, but my >> question is : >> How do I disconnect users ? > > the short answer is that you can't. this is why you don't see popup > authentication anywhere anymore :) > > "When you determine that the client should stop using the > credentials/session key, the server can tell the client to delete the > cookie. Letting users "log out" is a notoriously impossible-to-solve > problem of AuthBasic."
Or more to the point, you can never log into HTTP either ;-) HTTP is stateless. Each request comes in with (optionally) a cookie, user, and/or password. The request has nothing to do with the last request unless the server told the client to present a cookie. With HTTP auth such as basic, when it sees someone it doesn't know, the server returns NOT AUTHORIZED. The client offers a popup, and provides a user and password. If those don't work, again, NOT AUTHORIZED. Cookie-based auth remembers a session in a cookie. When the cookie is missing, the server sends an HTTP auth or a form based auth page, until the user successfully "connects". But the idea of "disconnecting" the user? Not Applicable :) The client may immediately send the request with the required user/password fields, so you would want to keep keep-alives enabled. The only "disconnect" is to tell the client to forget it's cookie (which certainly isn't any sort of "security"). Bill
