[PHP] php htaccess logins and logouts
Hi all, I've got a site set up that is using an htaccess file to provide secure access to a directory. That is working fine. What I wondered was, is there a way to log out via PHP. As I understand it, the login mechanism is part of Apache, so I guess what I'm really asking is, is there a way that I can get Apache to end the 'session' that Apache has set up, using PHP? I'm sure I've seen cPanel do it, so I was wondering how easy this would be to do myself. Thanks, Ash http://www.ashleysheridan.co.uk
Re: [PHP] php htaccess logins and logouts
On Fri, Nov 27, 2009 at 12:12 AM, Ashley Sheridan a...@ashleysheridan.co.uk wrote: Hi all, I've got a site set up that is using an htaccess file to provide secure access to a directory. That is working fine. What I wondered was, is there a way to log out via PHP. As I understand it, the login mechanism is part of Apache, so I guess what I'm really asking is, is there a way that I can get Apache to end the 'session' that Apache has set up, using PHP? I'm sure I've seen cPanel do it, so I was wondering how easy this would be to do myself. IIRC if you unset $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] it will log you out. Cheers. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php htaccess logins and logouts
Hi, IIRC if you unset $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] it will log you out. I've done some research on this in the past - and not all browsers/web servers honour that as it's the browser that keeps the username/password cached and sends it after a 401 response, so the server knows nothing about the login - i.e. 1. User visits page 1 2. Server sends 401 Unauthorised header 3. Browser does not have any login details for the realm and prompts user 4. User inputs credentials, browser re-submits the request with the credentials attached 5. User visits page 2 6. Server sends 401 Unauthorised header 7. Browser has login details for the realm and re-submits the request with the credentials attached From the conclusion I came to after my research, there is no reliable way for the server to de-authorise a login after a 401 request. There are tricks you can do on the server, such as changing the authentication realm when the user has logged out - but if the user visits the same site again the realms will match and they will be logged in. I've seen a hack which uses a cookie on the user's machine - if the user has the cookie, the correct authentication realm is returned in the authentication request. If the user doesn't have the cookie, the server sends a random realm to trick the browser into thinking it's not logged in. By the time you've done all that, you might as well just use sessions. Regards, Andy -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
