HTTP authentication logout via PHP

Question

What is the correct way to log out of HTTP authentication protected folder   There are workarounds that can achieve this  but they are potentially dangerous because they can be buggy or don t work in certain situations   browsers  That is why I am looking for correct and clean solution

User · Answer

While the others are correct in saying that its impossible to logout from basic http authentication there are ways to implement authentication which behave similarly  One obvious appeoach is to use auth memcookie  If you really want to implement Basic HTTP authentication  i e  use the browser dialogs for logging in trather than an HTTP form  using this - just set the authentication to a seperate  htaccess protected directory containing a PHP script which redirects back where te user came after createing the memcache session

User · Answer

Mu  No correct way exists  not even one that s consistent across browsers   This is a problem that comes from the HTTP specification  section 15 6       Existing HTTP clients and user agents typically retain authentication     information indefinitely  HTTP 1 1  does not provide a method for a     server to direct clients to discard these cached credentials    On the other hand  section 10 4 2 says      If the request already included Authorization credentials  then the 401    response indicates that authorization has been refused for those    credentials  If the 401 response contains the same challenge as the    prior response  and the user agent has already attempted    authentication at least once  then the user SHOULD be presented the    entity that was given in the response  since that entity might    include relevant diagnostic information    In other words  you may be able to show the login box again  as  Karsten says   but the browser doesn t have to honor your request - so don t depend on this  mis feature too much

User · Answer

Workaround  not a clean  nice  or even working  see comments  solution    Disable his credentials one time   You can move your HTTP authentication logic to PHP by sending the appropriate headers  if not logged in    Header  WWW-Authenticate  Basic realm  protected area     Header  HTTP 1 0 401 Unauthorized      And parsing the input with     SERVER  PHP AUTH USER      httpauth-user   SERVER  PHP AUTH PW        httpauth-password   So disabling his credentials one time should be trivial

User · Answer

Logout from HTTP Basic Auth in two steps Let   s say I have a HTTP Basic Auth realm named    Password protected     and Bob is logged in  To log out I make 2 AJAX requests   Access script  logout step1  It adds a random temporary user to  htusers and responds with its login and password  Access script  logout step2 authenticated with the temporary user   s login and password  The script deletes the temporary user and adds this header on the response  WWW-Authenticate  Basic realm  quot Password protected quot   At this point browser forgot Bob   s credentials

User · Answer

The only effective way I ve found to wipe out the PHP AUTH DIGEST or PHP AUTH USER AND PHP AUTH PW credentials is to call the header HTTP 1 1 401 Unauthorized   function clear admin access        header  HTTP 1 1 401 Unauthorized        die  Admin access turned off

User · Answer

I have summarised my solution in an article  https   www hattonwebsolutions co uk articles how to logout of http sessions  however I have used an ajax call and 2x htaccess files  as suggested in this question  How to logout of an HTTP authentication  htaccess  that works in Google Chrome    In short - you   Create a sub folder with an htaccess file on the same AuthName but require a different user Send an ajax request to the page  with the wrong username   which fails  and then trigger a timeout redirect to the logged out page   This avoids having a secondary popup in the logout folder requesting another username  which would confuse users   My article uses Jquery but it should be possible to avoid this

User · Answer

The best solution I found so far is  it is sort of pseudo-code  the  isLoggedIn is pseudo variable for http auth    At the time of  logout  just store some info to the session saying that user is actually logged out   function logout          isLoggedIn   false    This does not work  point of this question      SESSION  logout     true      In the place where I check for authentication I expand the condition   function isLoggedIn       return  isLoggedIn  amp  amp     SESSION  logout        Session is somewhat linked to the state of http authentication so user stays logged out as long as he keeps the browser open and as long as http authentication persists in the browser

User · Answer

Workaround  not a clean  nice  or even working  see comments  solution    Disable his credentials one time   You can move your HTTP authentication logic to PHP by sending the appropriate headers  if not logged in    Header  WWW-Authenticate  Basic realm  protected area     Header  HTTP 1 0 401 Unauthorized      And parsing the input with     SERVER  PHP AUTH USER      httpauth-user   SERVER  PHP AUTH PW        httpauth-password   So disabling his credentials one time should be trivial

User · Answer

Logout from HTTP Basic Auth in two steps Let   s say I have a HTTP Basic Auth realm named    Password protected     and Bob is logged in  To log out I make 2 AJAX requests   Access script  logout step1  It adds a random temporary user to  htusers and responds with its login and password  Access script  logout step2 authenticated with the temporary user   s login and password  The script deletes the temporary user and adds this header on the response  WWW-Authenticate  Basic realm  quot Password protected quot   At this point browser forgot Bob   s credentials

User · Answer

Workaround  not a clean  nice  or even working  see comments  solution    Disable his credentials one time   You can move your HTTP authentication logic to PHP by sending the appropriate headers  if not logged in    Header  WWW-Authenticate  Basic realm  protected area     Header  HTTP 1 0 401 Unauthorized      And parsing the input with     SERVER  PHP AUTH USER      httpauth-user   SERVER  PHP AUTH PW        httpauth-password   So disabling his credentials one time should be trivial

User · Answer

I have summarised my solution in an article  https   www hattonwebsolutions co uk articles how to logout of http sessions  however I have used an ajax call and 2x htaccess files  as suggested in this question  How to logout of an HTTP authentication  htaccess  that works in Google Chrome    In short - you   Create a sub folder with an htaccess file on the same AuthName but require a different user Send an ajax request to the page  with the wrong username   which fails  and then trigger a timeout redirect to the logged out page   This avoids having a secondary popup in the logout folder requesting another username  which would confuse users   My article uses Jquery but it should be possible to avoid this

User · Answer

Method that works nicely in Safari  Also works in Firefox and Opera  but with a warning   Location  http   logout yourserver example com    This tells browser to open URL with new username  overriding previous one

User · Answer

Method that works nicely in Safari  Also works in Firefox and Opera  but with a warning   Location  http   logout yourserver example com    This tells browser to open URL with new username  overriding previous one

User · Answer

The only effective way I ve found to wipe out the PHP AUTH DIGEST or PHP AUTH USER AND PHP AUTH PW credentials is to call the header HTTP 1 1 401 Unauthorized   function clear admin access        header  HTTP 1 1 401 Unauthorized        die  Admin access turned off

User · Answer

AFAIK  there s no clean way to implement a  logout  function when using htaccess  i e  HTTP-based  authentication   This is because such authentication uses the HTTP error code  401  to tell the browser that credentials are required  at which point the browser prompts the user for the details   From then on  until the browser is closed  it will always send the credentials without further prompting

User · Answer

Typically  once a browser has asked the user for credentials and supplied them to a particular web site  it will continue to do so without further prompting  Unlike the various ways you can clear cookies on the client side  I don t know of a similar way to ask the browser to forget its supplied authentication credentials

User · Answer

Typically  once a browser has asked the user for credentials and supplied them to a particular web site  it will continue to do so without further prompting  Unlike the various ways you can clear cookies on the client side  I don t know of a similar way to ask the browser to forget its supplied authentication credentials

User · Answer

My solution to the problem is the following  You can find the function http digest parse    realm and  users in the second example of this page  http   php net manual en features http-auth php    session start     function LogOut       session destroy      session unset   SESSION  session id       session unset   SESSION  logged        header  Location      TRUE  301         function Login       global  realm     if  empty   SESSION  session id           session regenerate id          SESSION  session id     session id           if   IsAuthenticated            header  HTTP 1 1 401 Unauthorized        header  WWW-Authenticate  Digest realm     realm        qop  auth  nonce      SESSION  session id      opaque    md5  realm              SESSION  logged     False      die  Access denied             SESSION  logged     True       function IsAuthenticated      global  realm    global  users      if   empty   SERVER  PHP AUTH DIGEST           return False        check PHP AUTH DIGEST   if     data   http digest parse   SERVER  PHP AUTH DIGEST              isset  users  data  username           return False    invalid username      A1   md5  data  username            realm          users  data  username         A2   md5   SERVER  REQUEST METHOD        data  uri           Give session id instead of data  nonce      valid response     md5  A1       SESSION  session id        data  nc        data  cnonce        data  qop        A2      if   data  response       valid response      return False     return True

User · Answer

The best solution I found so far is  it is sort of pseudo-code  the  isLoggedIn is pseudo variable for http auth    At the time of  logout  just store some info to the session saying that user is actually logged out   function logout          isLoggedIn   false    This does not work  point of this question      SESSION  logout     true      In the place where I check for authentication I expand the condition   function isLoggedIn       return  isLoggedIn  amp  amp     SESSION  logout        Session is somewhat linked to the state of http authentication so user stays logged out as long as he keeps the browser open and as long as http authentication persists in the browser

User · Answer

I needed to reset  htaccess authorization so I used this    lt  php if   isset   SERVER  PHP AUTH USER           header  WWW-Authenticate  Basic realm  My Realm         header  HTTP 1 0 401 Unauthorized        echo  Text to send if user hits Cancel button       exit      gt    Found it here   http   php net manual en features http-auth php  Go figure   A number of solutions reside on that page and it even notes at the bottom  Lynx  doesn t clear the auth like other browsers     I tested it out on my installed browsers and once closed  each browser seems like it consistently requires reauth on reentry

User · Answer

Mu  No correct way exists  not even one that s consistent across browsers   This is a problem that comes from the HTTP specification  section 15 6       Existing HTTP clients and user agents typically retain authentication     information indefinitely  HTTP 1 1  does not provide a method for a     server to direct clients to discard these cached credentials    On the other hand  section 10 4 2 says      If the request already included Authorization credentials  then the 401    response indicates that authorization has been refused for those    credentials  If the 401 response contains the same challenge as the    prior response  and the user agent has already attempted    authentication at least once  then the user SHOULD be presented the    entity that was given in the response  since that entity might    include relevant diagnostic information    In other words  you may be able to show the login box again  as  Karsten says   but the browser doesn t have to honor your request - so don t depend on this  mis feature too much

User · Answer

Mu  No correct way exists  not even one that s consistent across browsers   This is a problem that comes from the HTTP specification  section 15 6       Existing HTTP clients and user agents typically retain authentication     information indefinitely  HTTP 1 1  does not provide a method for a     server to direct clients to discard these cached credentials    On the other hand  section 10 4 2 says      If the request already included Authorization credentials  then the 401    response indicates that authorization has been refused for those    credentials  If the 401 response contains the same challenge as the    prior response  and the user agent has already attempted    authentication at least once  then the user SHOULD be presented the    entity that was given in the response  since that entity might    include relevant diagnostic information    In other words  you may be able to show the login box again  as  Karsten says   but the browser doesn t have to honor your request - so don t depend on this  mis feature too much

User · Answer

There s a lot of great - complex - answers here  In my particular case i found a clean and simple fix for the logout  I have yet to test in Edge  On my page that I have logged in to  I have placed a logout link similar to this    lt a href  https   MyDomainHere net logout html  gt logout lt  a gt    And in the head of that logout html page  which is also protected by the  htaccess  I have a page refresh similar to this    lt meta http-equiv  Refresh  content  0  url https   logout logout MyDomainHere net     gt    Where you would leave the words  logout  in place to clear the username and password cached for the site   I will admit that if multiple pages needed to be able to be directly logged in to from the beginning  each of those points of entry would need their own corresponding logout html page  Otherwise you could centralize the logout by introducing an additional gatekeeper step into the process before the actual login prompt  requiring entry of a phrase to reach a destination of login

User · Answer

Maybe I m missing the point   The most reliable way I ve found to end HTTP Authentication is to close the browser and all browser windows   You can close a browser window using Javascript but I don t think you can close all browser windows

User · Answer

Workaround  You can do this using Javascript    lt html gt  lt head gt   lt script type  text javascript  gt  function logout         var xmlhttp      if  window XMLHttpRequest              xmlhttp   new XMLHttpRequest                 code for IE     else if  window ActiveXObject          xmlhttp new ActiveXObject  Microsoft XMLHTTP              if  window ActiveXObject             IE clear HTTP Authentication       document execCommand  ClearAuthenticationCache          window location href   where to redirect         else           xmlhttp open  GET     path that will return 200 OK   true   logout    logout            xmlhttp send              xmlhttp onreadystatechange   function                 if  xmlhttp readyState    4   window location href   where to redirect                            return false     lt  script gt   lt  head gt   lt body gt   lt a href     onclick  logout     gt Log out lt  a gt   lt  body gt   lt  html gt    What is done above is    for IE - just clear auth cache and redirect somewhere  for other browsers - send an XMLHttpRequest behind the scenes with  logout  login name and password  We need to send it to some path that will return 200 OK to that request  i e  it shouldn t require HTTP authentication     Replace   where to redirect  with some path to redirect to after logging out and replace   path that will return 200 OK  with some path on your site that will return 200 OK

User · Answer

Typically  once a browser has asked the user for credentials and supplied them to a particular web site  it will continue to do so without further prompting  Unlike the various ways you can clear cookies on the client side  I don t know of a similar way to ask the browser to forget its supplied authentication credentials

User · Answer

Mu  No correct way exists  not even one that s consistent across browsers   This is a problem that comes from the HTTP specification  section 15 6       Existing HTTP clients and user agents typically retain authentication     information indefinitely  HTTP 1 1  does not provide a method for a     server to direct clients to discard these cached credentials    On the other hand  section 10 4 2 says      If the request already included Authorization credentials  then the 401    response indicates that authorization has been refused for those    credentials  If the 401 response contains the same challenge as the    prior response  and the user agent has already attempted    authentication at least once  then the user SHOULD be presented the    entity that was given in the response  since that entity might    include relevant diagnostic information    In other words  you may be able to show the login box again  as  Karsten says   but the browser doesn t have to honor your request - so don t depend on this  mis feature too much

User · Answer

Workaround  You can do this using Javascript    lt html gt  lt head gt   lt script type  text javascript  gt  function logout         var xmlhttp      if  window XMLHttpRequest              xmlhttp   new XMLHttpRequest                 code for IE     else if  window ActiveXObject          xmlhttp new ActiveXObject  Microsoft XMLHTTP              if  window ActiveXObject             IE clear HTTP Authentication       document execCommand  ClearAuthenticationCache          window location href   where to redirect         else           xmlhttp open  GET     path that will return 200 OK   true   logout    logout            xmlhttp send              xmlhttp onreadystatechange   function                 if  xmlhttp readyState    4   window location href   where to redirect                            return false     lt  script gt   lt  head gt   lt body gt   lt a href     onclick  logout     gt Log out lt  a gt   lt  body gt   lt  html gt    What is done above is    for IE - just clear auth cache and redirect somewhere  for other browsers - send an XMLHttpRequest behind the scenes with  logout  login name and password  We need to send it to some path that will return 200 OK to that request  i e  it shouldn t require HTTP authentication     Replace   where to redirect  with some path to redirect to after logging out and replace   path that will return 200 OK  with some path on your site that will return 200 OK

User · Answer

The simple answer is that you can t reliably log out of http-authentication   The long answer  Http-auth  like the rest of the HTTP spec  is meant to be stateless   So being  logged in  or  logged out  isn t really a concept that makes sense   The better way to see it is to ask  for each HTTP request  and remember a page load is usually multiple requests    are you allowed to do what you re requesting     The server sees each request as new and unrelated to any previous requests   Browsers have chosen to remember the credentials you tell them on the first 401  and re-send them without the user s explicit permission on subsequent requests   This is an attempt at giving the user the  logged in logged out  model they expect  but it s purely a kludge   It s the browser that s simulating this persistence of state   The web server is completely unaware of it   So  logging out   in the context of http-auth is purely a simulation provided by the browser  and so outside the authority of the server   Yes  there are kludges   But they break RESTful-ness  if that s of value to you  and they are unreliable   If you absolutely require a logged-in logged-out model for your site authentication  the best bet is a tracking cookie  with the persistence of state stored on the server in some manner  mysql  sqlite  flatfile  etc    This will require all requests to be evaluated  for instance  with PHP

User · Answer

Typically  once a browser has asked the user for credentials and supplied them to a particular web site  it will continue to do so without further prompting  Unlike the various ways you can clear cookies on the client side  I don t know of a similar way to ask the browser to forget its supplied authentication credentials

User · Answer

Trac - by default - uses HTTP Authentication as well  Logout does not work and can not be fixed         This is an issue with the HTTP authentication scheme itself  and there s nothing we can do in Trac to fix it properly    There is currently no workaround  JavaScript or other  that works with all major browsers       From  http   trac edgewall org ticket 791 comment 103  Looks like that there is no working answer to the question  that issue has been reported seven years ago and it makes perfect sense  HTTP is stateless  Either a request is done with authentication credentials or not  But that s a matter of the client sending the request  not the server receiving it  The server can only say if a request URI needs authorization or not

User · Answer

Maybe I m missing the point   The most reliable way I ve found to end HTTP Authentication is to close the browser and all browser windows   You can close a browser window using Javascript but I don t think you can close all browser windows

User · Answer

AFAIK  there s no clean way to implement a  logout  function when using htaccess  i e  HTTP-based  authentication   This is because such authentication uses the HTTP error code  401  to tell the browser that credentials are required  at which point the browser prompts the user for the details   From then on  until the browser is closed  it will always send the credentials without further prompting

User · Answer

Method that works nicely in Safari  Also works in Firefox and Opera  but with a warning   Location  http   logout yourserver example com    This tells browser to open URL with new username  overriding previous one

User · Answer

Trac - by default - uses HTTP Authentication as well  Logout does not work and can not be fixed         This is an issue with the HTTP authentication scheme itself  and there s nothing we can do in Trac to fix it properly    There is currently no workaround  JavaScript or other  that works with all major browsers       From  http   trac edgewall org ticket 791 comment 103  Looks like that there is no working answer to the question  that issue has been reported seven years ago and it makes perfect sense  HTTP is stateless  Either a request is done with authentication credentials or not  But that s a matter of the client sending the request  not the server receiving it  The server can only say if a request URI needs authorization or not

User · Answer

My solution to the problem is the following  You can find the function http digest parse    realm and  users in the second example of this page  http   php net manual en features http-auth php    session start     function LogOut       session destroy      session unset   SESSION  session id       session unset   SESSION  logged        header  Location      TRUE  301         function Login       global  realm     if  empty   SESSION  session id           session regenerate id          SESSION  session id     session id           if   IsAuthenticated            header  HTTP 1 1 401 Unauthorized        header  WWW-Authenticate  Digest realm     realm        qop  auth  nonce      SESSION  session id      opaque    md5  realm              SESSION  logged     False      die  Access denied             SESSION  logged     True       function IsAuthenticated      global  realm    global  users      if   empty   SERVER  PHP AUTH DIGEST           return False        check PHP AUTH DIGEST   if     data   http digest parse   SERVER  PHP AUTH DIGEST              isset  users  data  username           return False    invalid username      A1   md5  data  username            realm          users  data  username         A2   md5   SERVER  REQUEST METHOD        data  uri           Give session id instead of data  nonce      valid response     md5  A1       SESSION  session id        data  nc        data  cnonce        data  qop        A2      if   data  response       valid response      return False     return True

User · Answer

AFAIK  there s no clean way to implement a  logout  function when using htaccess  i e  HTTP-based  authentication   This is because such authentication uses the HTTP error code  401  to tell the browser that credentials are required  at which point the browser prompts the user for the details   From then on  until the browser is closed  it will always send the credentials without further prompting

User · Answer

There s a lot of great - complex - answers here  In my particular case i found a clean and simple fix for the logout  I have yet to test in Edge  On my page that I have logged in to  I have placed a logout link similar to this    lt a href  https   MyDomainHere net logout html  gt logout lt  a gt    And in the head of that logout html page  which is also protected by the  htaccess  I have a page refresh similar to this    lt meta http-equiv  Refresh  content  0  url https   logout logout MyDomainHere net     gt    Where you would leave the words  logout  in place to clear the username and password cached for the site   I will admit that if multiple pages needed to be able to be directly logged in to from the beginning  each of those points of entry would need their own corresponding logout html page  Otherwise you could centralize the logout by introducing an additional gatekeeper step into the process before the actual login prompt  requiring entry of a phrase to reach a destination of login

User · Answer

AFAIK  there s no clean way to implement a  logout  function when using htaccess  i e  HTTP-based  authentication   This is because such authentication uses the HTTP error code  401  to tell the browser that credentials are required  at which point the browser prompts the user for the details   From then on  until the browser is closed  it will always send the credentials without further prompting

User · Answer

This might be not the solution that was looked for but i solved it like this  i have 2 scripts for the logout process   logout php   lt  php header  Location  http     domain com log php      gt    log php   lt  php header  location  https   google com      gt    This way i dont get a warning and my session is terminated

User · Answer

Method that works nicely in Safari  Also works in Firefox and Opera  but with a warning   Location  http   logout yourserver example com    This tells browser to open URL with new username  overriding previous one

User · Answer

I needed to reset  htaccess authorization so I used this    lt  php if   isset   SERVER  PHP AUTH USER           header  WWW-Authenticate  Basic realm  My Realm         header  HTTP 1 0 401 Unauthorized        echo  Text to send if user hits Cancel button       exit      gt    Found it here   http   php net manual en features http-auth php  Go figure   A number of solutions reside on that page and it even notes at the bottom  Lynx  doesn t clear the auth like other browsers     I tested it out on my installed browsers and once closed  each browser seems like it consistently requires reauth on reentry

User · Answer

This might be not the solution that was looked for but i solved it like this  i have 2 scripts for the logout process   logout php   lt  php header  Location  http     domain com log php      gt    log php   lt  php header  location  https   google com      gt    This way i dont get a warning and my session is terminated

User · Answer

While the others are correct in saying that its impossible to logout from basic http authentication there are ways to implement authentication which behave similarly  One obvious appeoach is to use auth memcookie  If you really want to implement Basic HTTP authentication  i e  use the browser dialogs for logging in trather than an HTTP form  using this - just set the authentication to a seperate  htaccess protected directory containing a PHP script which redirects back where te user came after createing the memcache session

User · Answer

Workaround  not a clean  nice  or even working  see comments  solution    Disable his credentials one time   You can move your HTTP authentication logic to PHP by sending the appropriate headers  if not logged in    Header  WWW-Authenticate  Basic realm  protected area     Header  HTTP 1 0 401 Unauthorized      And parsing the input with     SERVER  PHP AUTH USER      httpauth-user   SERVER  PHP AUTH PW        httpauth-password   So disabling his credentials one time should be trivial

User · Answer

The simple answer is that you can t reliably log out of http-authentication   The long answer  Http-auth  like the rest of the HTTP spec  is meant to be stateless   So being  logged in  or  logged out  isn t really a concept that makes sense   The better way to see it is to ask  for each HTTP request  and remember a page load is usually multiple requests    are you allowed to do what you re requesting     The server sees each request as new and unrelated to any previous requests   Browsers have chosen to remember the credentials you tell them on the first 401  and re-send them without the user s explicit permission on subsequent requests   This is an attempt at giving the user the  logged in logged out  model they expect  but it s purely a kludge   It s the browser that s simulating this persistence of state   The web server is completely unaware of it   So  logging out   in the context of http-auth is purely a simulation provided by the browser  and so outside the authority of the server   Yes  there are kludges   But they break RESTful-ness  if that s of value to you  and they are unreliable   If you absolutely require a logged-in logged-out model for your site authentication  the best bet is a tracking cookie  with the persistence of state stored on the server in some manner  mysql  sqlite  flatfile  etc    This will require all requests to be evaluated  for instance  with PHP

[php] HTTP authentication logout via PHP

Examples related to php

Examples related to authentication

Examples related to .htaccess

Examples related to http-headers

Examples related to password-protection