I do understand how this works. Yea the browser caches the
information and returns it each time. I was tryiung to find a way to
clear this cache. (seems to be a failure in current browsers that
there is no command for this) Or have a system so that a cookie
can be created that forces a change. The problem I have with the
cookie solution is that cookies only seem to change if the page is
fully loaded. I can rejject the login and make them reinter the
userid.password if a cookie is set. But I then can't erase the cookie.
Once it is set the user id and password never will work again until
the browser exits.
> Ray Todd Stevens wrote:
>
> >I am working on a web site that is using php controled www-
> >authenticate authentication. User ids are specific to users and
> >different pages and different levels of information for a given page
> >will be displayed based on the user id used. The problem is how do
> >you log out without having to quit all browser sessions.
> >
>
> HTTP authentication is a protocol-level mechanism that is outside of
> PHP. Though PHP gives you some control over the HTTP response (the
> message from the Web server to the Web client), it cannot grant you
> control of future HTTP requests (messages from the Web client to the
> Web server), which is what you are wanting to do.
>
> You see, there is no such thing as "logging out" with HTTP
> authentication (because you are never exactly logged in); every HTTP
> request must include the authentication credentials. Because most
> browsers will save this information rather than prompting for it for
> every request, it can appear as if you are "logged in" until the
> browser session is destroyed, but that's not actually how it works.
>
> So, in case I did not explain that well, whether the Web browser
> returns the HTTP authentication credentials in future requests is
> entirely up to the Web browser and is thus a browser configuration
> issue. However, I'm not aware (someone feel free to correct me) of any
> browsers that allow you to turn off this caching behavior with regards
> to HTTP authentication anyway, so you will have no option other than
> to end the browser session.
>
> That's not the answer you are wanting, but might I suggest you look
> into writing your own access restriction logic in PHP rather than
> using HTTP authentication. This is what most developers choose, and it
> will give you far more flexibility and security.
>
> Happy hacking.
>
> Chris
>
>
--------------------------------------------------------------------
--------------
Ray Todd Stevens Specialists in Network and Security
Consulting
Senior Consultant Software audit service available
Stevens Services
Suite 21
3754 Old State Rd 37 N
Bedford, IN 47421
(812) 279-9394
[EMAIL PROTECTED]
Thought for the day:
Concerto (n): a fight between a piano and a pianist.
For PGP public key send message with subject
please send PGP key
If this message refers to an attachment the attachment
may arrive as a seperate mail message depending on the
type of mail client and gateway software you are using.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
