Ray Todd Stevens wrote: >I am working on a web site that is using php controled www- >authenticate authentication. User ids are specific to users and >different pages and different levels of information for a given page >will be displayed based on the user id used. The problem is how do >you log out without having to quit all browser sessions. >
HTTP authentication is a protocol-level mechanism that is outside of PHP. Though PHP gives you some control over the HTTP response (the message from the Web server to the Web client), it cannot grant you control of future HTTP requests (messages from the Web client to the Web server), which is what you are wanting to do. You see, there is no such thing as "logging out" with HTTP authentication (because you are never exactly logged in); every HTTP request must include the authentication credentials. Because most browsers will save this information rather than prompting for it for every request, it can appear as if you are "logged in" until the browser session is destroyed, but that's not actually how it works. So, in case I did not explain that well, whether the Web browser returns the HTTP authentication credentials in future requests is entirely up to the Web browser and is thus a browser configuration issue. However, I'm not aware (someone feel free to correct me) of any browsers that allow you to turn off this caching behavior with regards to HTTP authentication anyway, so you will have no option other than to end the browser session. That's not the answer you are wanting, but might I suggest you look into writing your own access restriction logic in PHP rather than using HTTP authentication. This is what most developers choose, and it will give you far more flexibility and security. Happy hacking. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
