For quite a while i tried to find a good way to use a HTTP (either Basic or Digest) Authentication to make a Login to a secure content. I wanted to use HTTP Auth instead of simple Html Form LogOn to provide better security.
E.g.
Code: Select all
<?php
header("WWW-Authenticate: Basic realm="".HTTP_AUTH_REALM.""");
header("HTTP/1.0 401 Unauthorized");
echo("This is for authorized users only.");
exit;
?>So if a careless User does simply surf to another page or uses tabbed browsing it is very easy to access the secure area by clicking BACK button or enter the specific content url.I tried several ways to get rid of this problem, but all of them without success:
1.) this tutorial [1] suggests setting a new session_cookie by using some lines in the beginning
Code: Select all
<?php
session_set_cookie_params(0, '/', '.foo.com');
@session_start();
?>Code: Select all
<?php
// Unset session data
$_SESSION=array();
// Clear cookie
unset($_COOKIE[session_name()]);
// Destroy session data
session_destroy();
// Redirect to clear the cookie.
$time=time();
header("Location: /logged_out.html?cache_defeat=$time");
?>Code: Select all
<?php
function authenticate($head="") {
if ($head=="") {
$head=rand();
}
header('WWW-Authenticate: Basic realm="'.$head.'"');
header('HTTP/1.0 401 Unauthorized');
echo 'Text to send if user hits Cancel button';
exit;
}
//no security yet - use data storage
if (!($_SERVER['PHP_AUTH_USER']=="test" AND $_SERVER['PHP_AUTH_PW']=="test2")) {
authenticate();
}
else {
if ($_GET['logout']==1) {
authenticate();
die();
}
echo "authenticated";
echo "<a href="".$_SERVER['PHP_SELF']."?logout=1">logout</a>";
}
?>So the question is:
Does anyone know how to make a LOGOUT on HTTP Authentication with use of any standard browser (IE).
Or just know, why the described ways do not work for me (some Apache settings ? )
tia Jakob
--
[1] viewtopic.php?t=24789
[2] http://at.php.net/manual/en/function.se ... estroy.php