The best solution I found so far is (it is sort of pseudo-code, the $isLoggedIn
is pseudo variable for http auth):
At the time of "logout" just store some info to the session saying that user is actually logged out.
function logout()
{
//$isLoggedIn = false; //This does not work (point of this question)
$_SESSION['logout'] = true;
}
In the place where I check for authentication I expand the condition:
function isLoggedIn()
{
return $isLoggedIn && !$_SESSION['logout'];
}
Session is somewhat linked to the state of http authentication so user stays logged out as long as he keeps the browser open and as long as http authentication persists in the browser.