[SOLVED] Log Out in HTTP Authentication

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
jakobdoppler
Forum Commoner
Posts: 46
Joined: Wed May 21, 2003 6:16 pm

[SOLVED] Log Out in HTTP Authentication

Post by jakobdoppler »

Hi

For quite a while i tried to find a good way to use a HTTP (either Basic or Digest) Authentication to make a Login to a secure content. I wanted to use HTTP Auth instead of simple Html Form LogOn to provide better security.

E.g.

Code: Select all

<?php
header("WWW-Authenticate: Basic realm="".HTTP_AUTH_REALM.""");
           header("HTTP/1.0 401 Unauthorized");
           echo("This is for authorized users only.");
           exit;
?>
But when it comes to Logout I experienced problems with the cache, that holds the user/password. It is not deleted until the browser (IE, Mozilla Firefox) window is closed.
So if a careless User does simply surf to another page or uses tabbed browsing it is very easy to access the secure area by clicking BACK button or enter the specific content url.I tried several ways to get rid of this problem, but all of them without success:

1.) this tutorial [1] suggests setting a new session_cookie by using some lines in the beginning

Code: Select all

<?php
session_set_cookie_params(0, '/', '.foo.com'); 
@session_start(); 
?>
2.) a second source [2] in the php.net manual (msopacua at idg dot nl) entry "session_destroy" tries to clear the cache and redirect to another page (which has no effect, one can still click back button in the browser)

Code: Select all

<?php
// Unset session data
$_SESSION=array();
// Clear cookie
unset($_COOKIE[session_name()]);
// Destroy session data
session_destroy();
// Redirect to clear the cookie.
$time=time();
header("Location: /logged_out.html?cache_defeat=$time");
?>
3.) In a third attempt I found out, that if the realm of the authentication is changed (i made it random) I can force to prompt a new auth window. It is rather a workaround than a solution, because if the window is simply closed in a browser with tabbed browsing, the window can be recalled by typing the url.

Code: Select all

<?php
function authenticate($head="") {
	if ($head=="") {
		$head=rand();
	}	
	header('WWW-Authenticate: Basic realm="'.$head.'"'); 
   	header('HTTP/1.0 401 Unauthorized'); 
   	echo 'Text to send if user hits Cancel button'; 
   	exit;
   }
//no security yet - use data storage 
if (!($_SERVER['PHP_AUTH_USER']=="test" AND $_SERVER['PHP_AUTH_PW']=="test2")) {
   		authenticate();
   }
else {
	if ($_GET['logout']==1) {
	 	authenticate();
	 	die();
	}
   	echo "authenticated";
   	echo "<a href="".$_SERVER['PHP_SELF']."?logout=1">logout</a>";
   	
   	}		 
?>

So the question is:
Does anyone know how to make a LOGOUT on HTTP Authentication with use of any standard browser (IE).
Or just know, why the described ways do not work for me (some Apache settings ? )

tia Jakob

--
[1] viewtopic.php?t=24789
[2] http://at.php.net/manual/en/function.se ... estroy.php
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

jakobdoppler
Forum Commoner
Posts: 46
Joined: Wed May 21, 2003 6:16 pm

Post by jakobdoppler »

*buhuuuhuuuuuu* :cry: damn authentication features !

nevertheless thx !
Post Reply