I do understand how this works. Yea the browser caches the information and returns it each time. I was tryiung to find a way to clear this cache. (seems to be a failure in current browsers that there is no command for this) Or have a system so that a cookie can be created that forces a change. The problem I have with the cookie solution is that cookies only seem to change if the page is fully loaded. I can rejject the login and make them reinter the userid.password if a cookie is set. But I then can't erase the cookie. Once it is set the user id and password never will work again until the browser exits.
> Ray Todd Stevens wrote: > > >I am working on a web site that is using php controled www- > >authenticate authentication. User ids are specific to users and > >different pages and different levels of information for a given page > >will be displayed based on the user id used. The problem is how do > >you log out without having to quit all browser sessions. > > > > HTTP authentication is a protocol-level mechanism that is outside of > PHP. Though PHP gives you some control over the HTTP response (the > message from the Web server to the Web client), it cannot grant you > control of future HTTP requests (messages from the Web client to the > Web server), which is what you are wanting to do. > > You see, there is no such thing as "logging out" with HTTP > authentication (because you are never exactly logged in); every HTTP > request must include the authentication credentials. Because most > browsers will save this information rather than prompting for it for > every request, it can appear as if you are "logged in" until the > browser session is destroyed, but that's not actually how it works. > > So, in case I did not explain that well, whether the Web browser > returns the HTTP authentication credentials in future requests is > entirely up to the Web browser and is thus a browser configuration > issue. However, I'm not aware (someone feel free to correct me) of any > browsers that allow you to turn off this caching behavior with regards > to HTTP authentication anyway, so you will have no option other than > to end the browser session. > > That's not the answer you are wanting, but might I suggest you look > into writing your own access restriction logic in PHP rather than > using HTTP authentication. This is what most developers choose, and it > will give you far more flexibility and security. > > Happy hacking. > > Chris > > -------------------------------------------------------------------- -------------- Ray Todd Stevens Specialists in Network and Security Consulting Senior Consultant Software audit service available Stevens Services Suite 21 3754 Old State Rd 37 N Bedford, IN 47421 (812) 279-9394 [EMAIL PROTECTED] Thought for the day: Concerto (n): a fight between a piano and a pianist. For PGP public key send message with subject please send PGP key If this message refers to an attachment the attachment may arrive as a seperate mail message depending on the type of mail client and gateway software you are using. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php