Can someone please tell me why Browser / Server Authentication Sucks so Bad.
I mean I have been looking all over for a solution on how to Reset or Clear PHP_AUTH_USER and PHP_AUTH_PW
and the only solution I came up with is to resend false information to them in order to get the login box to pop
up again. Seems that once a user is logged in using that method it doesn't matter even after you destroy all
session variables and go back to login page you still won't get the login box to pop up because PHP_AUTH_USER remains
set once you login the first time until you actually close the browser app and re-open it and go back to the site.
is there no function that can just clear PHP_AUTH_USER and PHP_AUTH_PW ??
VR-Fox
Why does Browser/Server Authentication SUCK so Bad ?
Moderator: General Moderators
Re: Why does Browser/Server Authentication SUCK so Bad ?
Change the WWW-Authenticate: Basic realm="My Realm" header. I believe credentials are stored on a realm by realm basis, so updating "My Realm" (maybe put a UNIX timestamp at the end - though the user will see that) will trigger a new request for credentials.
& It sucks because it's old & partly out of the browser's hands. They're just implementing an HTTP standard.
& It sucks because it's old & partly out of the browser's hands. They're just implementing an HTTP standard.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
Re: Why does Browser/Server Authentication SUCK so Bad ?
The realm and the URI are a factor in what credentials are applicable where.
Basic authentication is supposed to be a very simple method. It is not secure, it is not powerful, it is not flexible. It is a quick solution to address many issues. A "log out" can be done by reissuing a 401 Unauthorized response to which the client (browser) should then ask the user for login credentials again. In case the same username/password is sent you should keep sending the Unauthorized response: that means tracking when a user is valid - not simply "they logged in" or "they logged out" like is done with most session-based login schemes.
In other words: don't complain that a feature is hard to use when it wasn't even designed into the system to begin with.
Basic authentication is supposed to be a very simple method. It is not secure, it is not powerful, it is not flexible. It is a quick solution to address many issues. A "log out" can be done by reissuing a 401 Unauthorized response to which the client (browser) should then ask the user for login credentials again. In case the same username/password is sent you should keep sending the Unauthorized response: that means tracking when a user is valid - not simply "they logged in" or "they logged out" like is done with most session-based login schemes.
In other words: don't complain that a feature is hard to use when it wasn't even designed into the system to begin with.