Why does Browser/Server Authentication SUCK so Bad ?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
VR-Fox
Forum Newbie
Posts: 14
Joined: Fri Apr 16, 2010 11:30 am

Why does Browser/Server Authentication SUCK so Bad ?

Post by VR-Fox »

Can someone please tell me why Browser / Server Authentication Sucks so Bad.
I mean I have been looking all over for a solution on how to Reset or Clear PHP_AUTH_USER and PHP_AUTH_PW
and the only solution I came up with is to resend false information to them in order to get the login box to pop
up again. Seems that once a user is logged in using that method it doesn't matter even after you destroy all
session variables and go back to login page you still won't get the login box to pop up because PHP_AUTH_USER remains
set once you login the first time until you actually close the browser app and re-open it and go back to the site.
is there no function that can just clear PHP_AUTH_USER and PHP_AUTH_PW ??

VR-Fox
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Re: Why does Browser/Server Authentication SUCK so Bad ?

Post by pickle »

Change the WWW-Authenticate: Basic realm="My Realm" header. I believe credentials are stored on a realm by realm basis, so updating "My Realm" (maybe put a UNIX timestamp at the end - though the user will see that) will trigger a new request for credentials.

& It sucks because it's old & partly out of the browser's hands. They're just implementing an HTTP standard.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: Why does Browser/Server Authentication SUCK so Bad ?

Post by requinix »

The realm and the URI are a factor in what credentials are applicable where.

Basic authentication is supposed to be a very simple method. It is not secure, it is not powerful, it is not flexible. It is a quick solution to address many issues. A "log out" can be done by reissuing a 401 Unauthorized response to which the client (browser) should then ask the user for login credentials again. In case the same username/password is sent you should keep sending the Unauthorized response: that means tracking when a user is valid - not simply "they logged in" or "they logged out" like is done with most session-based login schemes.

In other words: don't complain that a feature is hard to use when it wasn't even designed into the system to begin with.
Post Reply