3

I understand that there is no "real solution" to logging out of http as it is stateless. However, all I need is a workaround. The one that I am trying to achieve is when a logout link is clicked it redirects to the logout.php file. That file calls the basic auth header again. I want to have php code pass a bogus password in, and then redirect to my homepage where the user will "be logged out".

I realize they would not actually be logged out, but rather the browser will be attempting to use the most recent auth credentials which will have been passed in and are incorrect, therefore making the user re log in with valid ones.

I have basically no php experience and cannot figure out how to code up the passing of a false password.

Any help is appreciated.

logout.php

<?php
    session_start();
    session_write_close();

    header('HTTP/1.1 401 Access Denied');
    header('WWW-Authenticate: Basic realm="HTTPS File Upload"');
    header('HTTP/1.0 401 Unauthorized');
    header('Location: http://www.homepage.com') 
?>
Improve this question
6
  • Could you explain why you are doing this? This seems extremely convoluted for potentially no good reason. The HTTP authentication information is stored in a cookie by the way. Commented Aug 6, 2013 at 16:47
  • can't you just unset the session variable holding user authentication (if you are using one)? Commented Aug 6, 2013 at 16:49
  • This is for a low volume page where a couple of users have access and sign in, then upload a file for our access. Currently the site has no logout feature at all, which from a website infrastructure point looks bad. I don't know much about php or http and from poking around this appeared like a plausible workaround Commented Aug 6, 2013 at 16:52
  • a random idea: do a redirection to an url that contains user information : [email protected] so the browser will try to use it. Commented Aug 6, 2013 at 16:53
  • I inherited the joy of trying to clean up this site, it appears whoever first set it up did not store any login info, so unsetting variables was unsuccesful Commented Aug 6, 2013 at 16:53

4 Answers 4

Reset to default
1

Example #3 on this page may be close to what you're looking for.

http://php.net/manual/en/features.http-auth.php

A different route you could take is to implement PHP sessions instead. Here's a good basic read on that.

http://phpmaster.com/php-sessions/

EDIT - you don't need to force invalid credentials if you add the a PHP session (yes you can have both). Even if the only session variable you have is a boolean $_SESSION["IsLoggedIn"]. With said variable, you can add it to the if-statement in example #3, as below, and remove it from the session via your logout.php script.

if (!isset($_SESSION["IsLoggedIn"]) || !isset($_SERVER['PHP_AUTH_USER']) ||
    ($_POST['SeenBefore'] == 1 && $_POST['OldAuth'] == $_SERVER['PHP_AUTH_USER'])) {
    authenticate();
} else {
    ...
}

and don't forget to use session_start(); at the top of your page whenever you utilize the $_SESSION variable.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Regardless of how do end up writing your code, php.net will be invaluable to youu as a PHP programmer
Example 3 is real close, maybe I should reword this as, I have successfully raised the re authentication window and wanted to know if there is a way to code something that will automatically fill in that prompt with incorrect information? Example 3 works unless someone just hits the back button on there browser
1

It does work :

<?php
if (!isset($_SERVER['PHP_AUTH_USER']) or isset($_POST['logout'])) {
    header('WWW-Authenticate: Basic realm="My Realm"');
    header('HTTP/1.0 401 Unauthorized');
    echo '<h1>Access Denied!</h1>';
    exit;
} else {
    if(!($_SERVER['PHP_AUTH_USER']=='admin' and md5($_SERVER['PHP_AUTH_PW'])=='d81edf2e48ddddddddd631e374c5932d'))
    {
        header('HTTP/1.0 401 Unauthorized');
        exit;
    }
    echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>";
    echo "<p>You entered {$_SERVER['PHP_AUTH_PW']} as your password.</p>";
}
?>


<html>
<head>
</head>
<body>
<form method="POST">
<button name="logout" type="submit">Log Out</button>
</form>

</body>
</html>
Improve this answer

Comments

0

Basic http auth works by passing a username/password with every request. Browsers typically store the credentials and pass them in every request, so your solution cannot be server side, you'd have to figure out a way to tell the browser to forget the credentials, if that's at all possible.

Improve this answer

1 Comment

My understanding of the work around I was attempting is that I attempt to get the browser to use the wrong credentials. the browser uses the most recently passed credentials, so by giving it false ones, it uses them and "forgets" the previous correct ones
0

Set the http response code to:

401

The response header must include:

WWW-Authenticate : Basic

A user will now be prompted to login when they refresh.

P.S. Chromium browsers will prompt a user to login just from a 401 code, so I would test with IE. Also, private browsing mode is you friend.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.