Page 1 of 1

[SOLVED] Log Out in HTTP Authentication

Posted: Mon Aug 30, 2004 6:52 am
by jakobdoppler
Hi

For quite a while i tried to find a good way to use a HTTP (either Basic or Digest) Authentication to make a Login to a secure content. I wanted to use HTTP Auth instead of simple Html Form LogOn to provide better security.

E.g.

Code: Select all

<?php
header("WWW-Authenticate: Basic realm="".HTTP_AUTH_REALM.""");
           header("HTTP/1.0 401 Unauthorized");
           echo("This is for authorized users only.");
           exit;
?>
But when it comes to Logout I experienced problems with the cache, that holds the user/password. It is not deleted until the browser (IE, Mozilla Firefox) window is closed.
So if a careless User does simply surf to another page or uses tabbed browsing it is very easy to access the secure area by clicking BACK button or enter the specific content url.I tried several ways to get rid of this problem, but all of them without success:

1.) this tutorial [1] suggests setting a new session_cookie by using some lines in the beginning

Code: Select all

<?php
session_set_cookie_params(0, '/', '.foo.com'); 
@session_start(); 
?>
2.) a second source [2] in the php.net manual (msopacua at idg dot nl) entry "session_destroy" tries to clear the cache and redirect to another page (which has no effect, one can still click back button in the browser)

Code: Select all

<?php
// Unset session data
$_SESSION=array();
// Clear cookie
unset($_COOKIE[session_name()]);
// Destroy session data
session_destroy();
// Redirect to clear the cookie.
$time=time();
header("Location: /logged_out.html?cache_defeat=$time");
?>
3.) In a third attempt I found out, that if the realm of the authentication is changed (i made it random) I can force to prompt a new auth window. It is rather a workaround than a solution, because if the window is simply closed in a browser with tabbed browsing, the window can be recalled by typing the url.

Code: Select all

<?php
function authenticate($head="") {
	if ($head=="") {
		$head=rand();
	}	
	header('WWW-Authenticate: Basic realm="'.$head.'"'); 
   	header('HTTP/1.0 401 Unauthorized'); 
   	echo 'Text to send if user hits Cancel button'; 
   	exit;
   }
//no security yet - use data storage 
if (!($_SERVER['PHP_AUTH_USER']=="test" AND $_SERVER['PHP_AUTH_PW']=="test2")) {
   		authenticate();
   }
else {
	if ($_GET['logout']==1) {
	 	authenticate();
	 	die();
	}
   	echo "authenticated";
   	echo "<a href="".$_SERVER['PHP_SELF']."?logout=1">logout</a>";
   	
   	}		 
?>

So the question is:
Does anyone know how to make a LOGOUT on HTTP Authentication with use of any standard browser (IE).
Or just know, why the described ways do not work for me (some Apache settings ? )

tia Jakob

--
[1] viewtopic.php?t=24789
[2] http://at.php.net/manual/en/function.se ... estroy.php

Posted: Mon Aug 30, 2004 1:07 pm
by Weirdan

Posted: Mon Aug 30, 2004 2:08 pm
by jakobdoppler
*buhuuuhuuuuuu* :cry: damn authentication features !

nevertheless thx !