How to log out user from web site using BASIC authentication

Question

Is it possible to log out user from a web site if he is using basic authentication   Killing session is not enough  since  once user is authenticated  each request contains login info  so user is automatically logged in next time he she access the site using the same credentials   The only solution so far is to close browser  but that s not acceptable from the usability standpoint

User · Answer

function logout url       var str   url replace  http       http       new Date   getTime               var xmlhttp      if  window XMLHttpRequest  xmlhttp new XMLHttpRequest        else xmlhttp new ActiveXObject  Microsoft XMLHTTP        xmlhttp onreadystatechange function                 if  xmlhttp readyState  4  location reload              xmlhttp open  GET  str true       xmlhttp setRequestHeader  Authorization   Basic xxxxxxxxxx       xmlhttp send        return false

User · Answer

An addition to the answer by bobince      With Ajax you can have your  Logout  link button wired to a Javascript function  Have this function send the XMLHttpRequest with a bad username and password  This should get back a 401  Then set document location back to the pre-login page  This way  the user will never see the extra login dialog during logout  nor have to remember to put in bad credentials

User · Answer

The following function is confirmed working for Firefox 40  Chrome 44  Opera 31 and IE 11  Bowser is used for browser detection  jQuery is also used  - secUrl is the url to a password protected area from which to log out  - redirUrl is the url to a non password protected area  logout success page    - you might wish to increase the redirect timer  currently 200ms     x000D   x000D  function logout secUrl  redirUrl    x000D      if  bowser msie    x000D          document execCommand  ClearAuthenticationCache    false    x000D        else if  bowser gecko    x000D            ajax   x000D              async  false  x000D              url  secUrl  x000D              type   GET   x000D              username   logout  x000D              x000D        else if  bowser webkit    x000D          var xmlhttp   new XMLHttpRequest    x000D          xmlhttp open  GET   secUrl  true   x000D          xmlhttp setRequestHeader  Authorization    Basic logout    x000D          xmlhttp send    x000D        else   x000D          alert  Logging out automatically is unsupported for     bowser name x000D                  nYou must close the browser to log out     x000D        x000D      setTimeout function      x000D          window location href   redirUrl  x000D         200   x000D    x000D   x000D   x000D

User · Answer

Have the user click on a link to https   log out example com   That will overwrite existing credentials with invalid ones  logging them out

User · Answer

Basic Authentication wasn t designed to manage logging out  You can do it  but not completely automatically   What you have to do is have the user click a logout link  and send a    401 Unauthorized    in response  using the same realm and at the same URL folder level as the normal 401 you send requesting a login   They must be directed to input wrong credentials next  eg  a blank username-and-password  and in response you send back a    You have successfully logged out    page  The wrong blank credentials will then overwrite the previous correct credentials   In short  the logout script inverts the logic of the login script  only returning the success page if the user isn t passing the right credentials   The question is whether the somewhat curious    don t enter your password    password box will meet user acceptance  Password managers that try to auto-fill the password can also get in the way here   Edit to add in response to comment  re-log-in is a slightly different problem  unless you require a two-step logout login obviously   You have to reject  401  the first attempt to access the relogin link  than accept the second  which presumably has a different username password   There are a few ways you could do this  One would be to include the current username in the logout link  eg   relogin username   and reject when the credentials match the username

User · Answer

Just for the record  there is a new HTTP Response Header called Clear-Site-Data  If your server reply includes a Clear-Site-Data   cookies  header  then the authentication credentials  not only cookies  should be removed  I tested it on Chrome 77 but this warning shows on the console   Clear-Site-Data header on  https   localhost 9443 clear   Cleared data types   cookies   Clearing channel IDs and HTTP authentication cache is currently not supported  as it breaks active network connections    And the auth credentials aren t removed  so this doesn t works  for now  to implement basic auth logouts  but maybe in the future will  Didn t test on other browsers    References   https   developer mozilla org en-US docs Web HTTP Headers Clear-Site-Data  https   www w3 org TR clear-site-data   https   github com w3c webappsec-clear-site-data  https   caniuse com  feat mdn-http headers clear-site-data cookies

User · Answer

use a session ID  cookie  invalidate the session ID on the server Don t accept users with invalid session IDs

User · Answer

function logout       var userAgent   navigator userAgent toLowerCase       if  userAgent indexOf  msie      -1        document execCommand  ClearAuthenticationCache   false          xhr objectCarte   null     if window XMLHttpRequest      xhr object   new XMLHttpRequest      else if window ActiveXObject      xhr object   new ActiveXObject  Microsoft XMLHTTP      else     alert   Your browser doesn t support XMLHTTPREQUEST       xhr object open   GET    http   yourserver com rep index php   false   username    password      xhr object send         xhr object   null     document location    http   yourserver com      return false

User · Answer

This isn t directly possible with Basic-Authentication   There s no mechanism in the HTTP specification for the server to tell the browser to stop sending the credentials that the user already presented   There are  hacks   see other answers  typically involving using XMLHttpRequest to send an HTTP request with incorrect credentials to overwrite the ones originally supplied

User · Answer

An addition to the answer by bobince      With Ajax you can have your  Logout  link button wired to a Javascript function  Have this function send the XMLHttpRequest with a bad username and password  This should get back a 401  Then set document location back to the pre-login page  This way  the user will never see the extra login dialog during logout  nor have to remember to put in bad credentials

User · Answer

Based on what I read above I got a simple solution that works on any browser   1  on you logout page you call an ajax to your login back end  Your login back end must accept logout user  Once the back end accept  the browser clear the current user and assumes the  logout  user     ajax       async  false      url   http   your login backend       type   GET       username   logout             setTimeout function          window location href    http   normal index      200     2  Now when the user got back to the normal index file it will try to automatic enter in the system with the user  logout   on this second time you must block it by reply with 401 to invoke the login password dialog   3  There are many ways to do that  I created two login back ends  one that accepts the logout user and one that doesn t  My normal login page use the one that doesn t accept  my logout page use the one that accepts it

User · Answer

This JavaScript must be working for all latest version browsers     Detect Browser var isOpera     window opera    navigator userAgent indexOf   OPR     gt   0         Opera 8 0   UA detection to detect Blink v8-powered Opera  var isFirefox   typeof InstallTrigger      undefined        Firefox 1 0  var isSafari   Object prototype toString call window HTMLElement  indexOf  Constructor    gt  0         At least Safari 3     object HTMLElementConstructor   var isChrome     window chrome  amp  amp   isOpera                  Chrome 1  var isIE      cc on    false      document documentMode     At least IE6 var Host   window location host      Clear Basic Realm Authentication if isIE     IE     document execCommand  ClearAuthenticationCache        window location          else if isSafari     Safari  but this works mostly on all browser except chrome      function safeLocation           var outcome  u  m    You should be logged out now               IE has a simple solution for it - API          try   outcome   document execCommand  ClearAuthenticationCache    catch e               Other browsers need a larger solution - AJAX call with special user name -  logout           if   outcome                   Let s create an xmlhttp object             outcome    function x                   if  x                           the reason we use  random  value for password is                         that browsers cache requests  changing                        password effectively behaves like cache-busing                      x open  HEAD   safeLocation    location href  true   logout    new Date    getTime   toString                        x send                             x abort                       return 1    this is   speculative    We are done                      else                       return                                  window XMLHttpRequest   new window XMLHttpRequest       window ActiveXObject   new ActiveXObject  Microsoft XMLHTTP     u                       if   outcome                m    Your browser is too old or too weird to support log out functionality  Close all windows and restart the browser                     alert m           window location                   return   outcome          if present URI does not return 200 OK for GET  set some other 200 OK location here      else    Firefox Chrome     window location    http   log out   Host

User · Answer

This isn t directly possible with Basic-Authentication   There s no mechanism in the HTTP specification for the server to tell the browser to stop sending the credentials that the user already presented   There are  hacks   see other answers  typically involving using XMLHttpRequest to send an HTTP request with incorrect credentials to overwrite the ones originally supplied

User · Answer

type chrome   restart in the address bar and chrome  with all its apps that are running in background  will restart and the Auth password cache will be cleaned

User · Answer

This isn t directly possible with Basic-Authentication   There s no mechanism in the HTTP specification for the server to tell the browser to stop sending the credentials that the user already presented   There are  hacks   see other answers  typically involving using XMLHttpRequest to send an HTTP request with incorrect credentials to overwrite the ones originally supplied

User · Answer

I ve just tested the following in Chrome  79   Firefox  71  and Edge  44  and it works fine  It applies the script solution as others noted above   Just add a  Logout  link and when clicked return the following html       lt div gt You have been logged out  Redirecting to home    lt  div gt        lt script gt      var XHR   new XMLHttpRequest        XHR open  GET     Home MyProtectedPage   true   no user    no password        XHR send         setTimeout function              window location href               3000    lt  script gt

User · Answer

Have the user click on a link to https   log out example com   That will overwrite existing credentials with invalid ones  logging them out

User · Answer

This is working for IE Netscape Chrome          function ClearAuthentication LogOffPage            var IsInternetExplorer   false            try                 var agt navigator userAgent toLowerCase             if  agt indexOf  msie      -1    IsInternetExplorer   true                catch e                  IsInternetExplorer   false                    if  IsInternetExplorer                     Logoff Internet Explorer         document execCommand  ClearAuthenticationCache            window location   LogOffPage              else                    Logoff every other browsers       ajax            username   unknown            password   WrongPassword                url     cgi-bin PrimoCgi            type   GET            beforeSend  function xhr                                 xhr setRequestHeader  Authorization    Basic AAAAAAAAAAAAAAAAAAA                                   error  function err                                         window location   LogOffPage                                          document  ready function                   Btn1   click function                         Call Clear Authentication           ClearAuthentication  force logout html

User · Answer

use a session ID  cookie  invalidate the session ID on the server Don t accept users with invalid session IDs

User · Answer

This JavaScript must be working for all latest version browsers     Detect Browser var isOpera     window opera    navigator userAgent indexOf   OPR     gt   0         Opera 8 0   UA detection to detect Blink v8-powered Opera  var isFirefox   typeof InstallTrigger      undefined        Firefox 1 0  var isSafari   Object prototype toString call window HTMLElement  indexOf  Constructor    gt  0         At least Safari 3     object HTMLElementConstructor   var isChrome     window chrome  amp  amp   isOpera                  Chrome 1  var isIE      cc on    false      document documentMode     At least IE6 var Host   window location host      Clear Basic Realm Authentication if isIE     IE     document execCommand  ClearAuthenticationCache        window location          else if isSafari     Safari  but this works mostly on all browser except chrome      function safeLocation           var outcome  u  m    You should be logged out now               IE has a simple solution for it - API          try   outcome   document execCommand  ClearAuthenticationCache    catch e               Other browsers need a larger solution - AJAX call with special user name -  logout           if   outcome                   Let s create an xmlhttp object             outcome    function x                   if  x                           the reason we use  random  value for password is                         that browsers cache requests  changing                        password effectively behaves like cache-busing                      x open  HEAD   safeLocation    location href  true   logout    new Date    getTime   toString                        x send                             x abort                       return 1    this is   speculative    We are done                      else                       return                                  window XMLHttpRequest   new window XMLHttpRequest       window ActiveXObject   new ActiveXObject  Microsoft XMLHTTP     u                       if   outcome                m    Your browser is too old or too weird to support log out functionality  Close all windows and restart the browser                     alert m           window location                   return   outcome          if present URI does not return 200 OK for GET  set some other 200 OK location here      else    Firefox Chrome     window location    http   log out   Host

User · Answer

This is working for IE Netscape Chrome          function ClearAuthentication LogOffPage            var IsInternetExplorer   false            try                 var agt navigator userAgent toLowerCase             if  agt indexOf  msie      -1    IsInternetExplorer   true                catch e                  IsInternetExplorer   false                    if  IsInternetExplorer                     Logoff Internet Explorer         document execCommand  ClearAuthenticationCache            window location   LogOffPage              else                    Logoff every other browsers       ajax            username   unknown            password   WrongPassword                url     cgi-bin PrimoCgi            type   GET            beforeSend  function xhr                                 xhr setRequestHeader  Authorization    Basic AAAAAAAAAAAAAAAAAAA                                   error  function err                                         window location   LogOffPage                                          document  ready function                   Btn1   click function                         Call Clear Authentication           ClearAuthentication  force logout html

User · Answer

use a session ID  cookie  invalidate the session ID on the server Don t accept users with invalid session IDs

User · Answer

All you need is redirect user on some logout URL and return 401 Unauthorized error on it  On error page  which must be accessible without basic auth  you need to provide a full link to your home page  including scheme and hostname   User will click this link and browser will ask for credentials again   Example for Nginx   location  logout       return 401     error page 401  errors 401 html   location  errors       auth basic off      ssi        on      ssi types  text html      alias  home user errors      Error page  home user errors 401 html    lt  DOCTYPE html gt   lt p gt You re not authorised   lt a href   lt  --  echo var  scheme  -- gt     lt  --  echo var  host  -- gt    gt Login lt  a gt   lt  p gt

User · Answer

All you need is redirect user on some logout URL and return 401 Unauthorized error on it  On error page  which must be accessible without basic auth  you need to provide a full link to your home page  including scheme and hostname   User will click this link and browser will ask for credentials again   Example for Nginx   location  logout       return 401     error page 401  errors 401 html   location  errors       auth basic off      ssi        on      ssi types  text html      alias  home user errors      Error page  home user errors 401 html    lt  DOCTYPE html gt   lt p gt You re not authorised   lt a href   lt  --  echo var  scheme  -- gt     lt  --  echo var  host  -- gt    gt Login lt  a gt   lt  p gt

User · Answer

You can do it entirely in JavaScript   IE has  for a long time  standard API for clearing Basic Authentication cache   document execCommand  ClearAuthenticationCache     Should return true when it works  Returns either false  undefined or blows up on other browsers   New browsers  as of Dec 2012  Chrome  FireFox  Safari  have  magic  behavior  If they see a successful basic auth request with any bogus other username  let s say logout  they clear the credentials cache and possibly set it for that new bogus user name  which you need to make sure is not a valid user name for viewing content   Basic example of that is   var p   window location protocol           current location must return 200 OK for this GET window location   window location href replace p  p    logout password      An  asynchronous  way of doing the above is to do an AJAX call utilizing the logout username  Example    function safeLocation       var outcome  u  m    You should be logged out now           IE has a simple solution for it - API      try   outcome   document execCommand  ClearAuthenticationCache    catch e           Other browsers need a larger solution - AJAX call with special user name -  logout       if   outcome               Let s create an xmlhttp object         outcome    function x               if  x                       the reason we use  random  value for password is                     that browsers cache requests  changing                    password effectively behaves like cache-busing                  x open  HEAD   safeLocation    location href  true   logout    new Date    getTime   toString                    x send                        x abort                   return 1    this is   speculative    We are done                  else                   return                          window XMLHttpRequest   new window XMLHttpRequest       window ActiveXObject   new ActiveXObject  Microsoft XMLHTTP     u              if   outcome            m    Your browser is too old or too weird to support log out functionality  Close all windows and restart the browser             alert m         return   outcome      if present URI does not return 200 OK for GET  set some other 200 OK location here      You can make it a bookmarklet too    javascript  function c  var a b  You should be logged out now   try a document execCommand  ClearAuthenticationCache   catch d   a    a window XMLHttpRequest new window XMLHttpRequest window ActiveXObject new ActiveXObject  Microsoft XMLHTTP   void 0   a open  HEAD  c  location href  0  logout   new Date  getTime   toString    a send     a 1  a void 0  a   b  Your browser is too old or too weird to support log out functionality  Close all windows and restart the browser    alert b      pass safeLocation here if you need

User · Answer

type chrome   restart in the address bar and chrome  with all its apps that are running in background  will restart and the Auth password cache will be cleaned

User · Answer

Basic Authentication wasn t designed to manage logging out  You can do it  but not completely automatically   What you have to do is have the user click a logout link  and send a    401 Unauthorized    in response  using the same realm and at the same URL folder level as the normal 401 you send requesting a login   They must be directed to input wrong credentials next  eg  a blank username-and-password  and in response you send back a    You have successfully logged out    page  The wrong blank credentials will then overwrite the previous correct credentials   In short  the logout script inverts the logic of the login script  only returning the success page if the user isn t passing the right credentials   The question is whether the somewhat curious    don t enter your password    password box will meet user acceptance  Password managers that try to auto-fill the password can also get in the way here   Edit to add in response to comment  re-log-in is a slightly different problem  unless you require a two-step logout login obviously   You have to reject  401  the first attempt to access the relogin link  than accept the second  which presumably has a different username password   There are a few ways you could do this  One would be to include the current username in the logout link  eg   relogin username   and reject when the credentials match the username

User · Answer

An addition to the answer by bobince      With Ajax you can have your  Logout  link button wired to a Javascript function  Have this function send the XMLHttpRequest with a bad username and password  This should get back a 401  Then set document location back to the pre-login page  This way  the user will never see the extra login dialog during logout  nor have to remember to put in bad credentials

User · Answer

Here s a very simple Javascript example using jQuery   function logout to url        var out   window location href replace              log out          jQuery get out  error function             window location   to url              This log user out without showing him the browser log-in box again  then redirect him to a logged out page

User · Answer

x000D   x000D      function logout secUrl  redirUrl    x000D          if  bowser msie    x000D              document execCommand  ClearAuthenticationCache    false    x000D            else if  bowser gecko    x000D                ajax   x000D                  async  false  x000D                  url  secUrl  x000D                  type   GET   x000D                  username   logout  x000D                  x000D            else if  bowser webkit    x000D              var xmlhttp   new XMLHttpRequest    x000D              xmlhttp open  GET   secUrl  true   x000D              xmlhttp setRequestHeader  Authorization    Basic logout    x000D              xmlhttp send    x000D            else   x000D              alert  Logging out automatically is unsupported for     bowser name x000D                      nYou must close the browser to log out     x000D            x000D          setTimeout function      x000D              window location href   redirUrl  x000D             200   x000D        x000D   x000D   x000D     I tried using the above in the following way    php     ob start        session start        require once  dbconnect php           if session is not set this will redirect to login page     if   isset   SESSION  user                header  Location  index php            exit               select loggedin users detail      res mysql query  SELECT   FROM users WHERE userId     SESSION  user          userRow mysql fetch array  res     gt   lt  DOCTYPE html gt   lt html gt   lt head gt   lt meta http-equiv  Content-Type  content  text html  charset utf-8    gt   lt title gt Welcome -  lt  php echo  userRow  userEmail      gt  lt  title gt   lt link rel  stylesheet  href  assets css bootstrap min css  type  text css     gt   lt link rel  stylesheet  href  style css  type  text css    gt        lt script src  assets js bowser min js  gt  lt  script gt   lt script gt    function logout secUrl  redirUrl    bowser   require  bowser    function logout secUrl  redirUrl    alert redirUrl       if  bowser msie            document execCommand  ClearAuthenticationCache    false          else if  bowser gecko              ajax               async  false              url  secUrl              type   GET               username   logout                    else if  bowser webkit            var xmlhttp   new XMLHttpRequest            xmlhttp open  GET   secUrl  true           xmlhttp setRequestHeader  Authorization    Basic logout            xmlhttp send          else           alert  Logging out automatically is unsupported for     bowser name                 nYou must close the browser to log out               window location assign redirUrl         setTimeout function              window location href   redirUrl         200         function f1                alert  f1 called             form validation that recalls the page showing with supplied inputs             lt  script gt   lt  head gt   lt body gt        lt nav class  navbar navbar-default navbar-fixed-top  gt         lt div class  container  gt           lt div class  navbar-header  gt             lt button type  button  class  navbar-toggle collapsed  data-toggle  collapse  data-target   navbar  aria-expanded  false  aria-controls  navbar  gt               lt span class  sr-only  gt Toggle navigation lt  span gt               lt span class  icon-bar  gt  lt  span gt               lt span class  icon-bar  gt  lt  span gt               lt span class  icon-bar  gt  lt  span gt             lt  button gt             lt a class  navbar-brand  href  http   www codingcage com  gt Coding Cage lt  a gt           lt  div gt           lt div id  navbar  class  navbar-collapse collapse  gt             lt ul class  nav navbar-nav  gt               lt li class  active  gt  lt a href  http   www codingcage com 2015 01 user-registration-and-login-script-using-php-mysql html  gt Back to Article lt  a gt  lt  li gt               lt li gt  lt a href  http   www codingcage com search label jQuery  gt jQuery lt  a gt  lt  li gt               lt li gt  lt a href  http   www codingcage com search label PHP  gt PHP lt  a gt  lt  li gt             lt  ul gt             lt ul class  nav navbar-nav navbar-right  gt                lt li class  dropdown  gt                 lt a href     class  dropdown-toggle  data-toggle  dropdown  role  button  aria-haspopup  true  aria-expanded  false  gt                 lt span class  glyphicon glyphicon-user  gt  lt  span gt  amp nbsp Hi   lt  php echo  userRow  userEmail      gt  amp nbsp  lt span class  caret  gt  lt  span gt  lt  a gt                 lt ul class  dropdown-menu  gt                   lt li gt  lt a href  logout php logout  gt  lt span class  glyphicon glyphicon-log-out  gt  lt  span gt  amp nbsp Sign Out lt  a gt  lt  li gt                 lt  ul gt               lt  li gt             lt  ul gt           lt  div gt  lt  --  nav-collapse -- gt         lt  div gt       lt  nav gt         lt div id  wrapper  gt        lt div class  container  gt            lt div class  page-header  gt           lt h3 gt Coding Cage - Programming Blog lt  h3 gt           lt  div gt            lt div class  row  gt           lt div class  col-lg-12  id  div logout  gt           lt h1 onclick  logout window location href   www espncricinfo com    gt MichaelA1S1  Click here to see log out functionality upon click inside div lt  h1 gt           lt  div gt           lt  div gt        lt  div gt        lt  div gt        lt script src  assets jquery-1 11 3-jquery min js  gt  lt  script gt       lt script src  assets js bootstrap min js  gt  lt  script gt     lt  body gt   lt  html gt   lt  php ob end flush      gt    But it only redirects you  to new location  No logout

User · Answer

use a session ID  cookie  invalidate the session ID on the server Don t accept users with invalid session IDs

User · Answer

I ve just tested the following in Chrome  79   Firefox  71  and Edge  44  and it works fine  It applies the script solution as others noted above   Just add a  Logout  link and when clicked return the following html       lt div gt You have been logged out  Redirecting to home    lt  div gt        lt script gt      var XHR   new XMLHttpRequest        XHR open  GET     Home MyProtectedPage   true   no user    no password        XHR send         setTimeout function              window location href               3000    lt  script gt

User · Answer

function logout       var userAgent   navigator userAgent toLowerCase       if  userAgent indexOf  msie      -1        document execCommand  ClearAuthenticationCache   false          xhr objectCarte   null     if window XMLHttpRequest      xhr object   new XMLHttpRequest      else if window ActiveXObject      xhr object   new ActiveXObject  Microsoft XMLHTTP      else     alert   Your browser doesn t support XMLHTTPREQUEST       xhr object open   GET    http   yourserver com rep index php   false   username    password      xhr object send         xhr object   null     document location    http   yourserver com      return false

User · Answer

add this to your application     app route   logout   def logout        return   Logout   401    WWW-Authenticate    Basic realm  Login required

User · Answer

add this to your application     app route   logout   def logout        return   Logout   401    WWW-Authenticate    Basic realm  Login required

User · Answer

It s actually pretty simple   Just visit the following in your browser and use wrong credentials  http   username password yourdomain com  That should  log you out

User · Answer

The following function is confirmed working for Firefox 40  Chrome 44  Opera 31 and IE 11  Bowser is used for browser detection  jQuery is also used  - secUrl is the url to a password protected area from which to log out  - redirUrl is the url to a non password protected area  logout success page    - you might wish to increase the redirect timer  currently 200ms     x000D   x000D  function logout secUrl  redirUrl    x000D      if  bowser msie    x000D          document execCommand  ClearAuthenticationCache    false    x000D        else if  bowser gecko    x000D            ajax   x000D              async  false  x000D              url  secUrl  x000D              type   GET   x000D              username   logout  x000D              x000D        else if  bowser webkit    x000D          var xmlhttp   new XMLHttpRequest    x000D          xmlhttp open  GET   secUrl  true   x000D          xmlhttp setRequestHeader  Authorization    Basic logout    x000D          xmlhttp send    x000D        else   x000D          alert  Logging out automatically is unsupported for     bowser name x000D                  nYou must close the browser to log out     x000D        x000D      setTimeout function      x000D          window location href   redirUrl  x000D         200   x000D    x000D   x000D   x000D

User · Answer

It s actually pretty simple   Just visit the following in your browser and use wrong credentials  http   username password yourdomain com  That should  log you out

User · Answer

This isn t directly possible with Basic-Authentication   There s no mechanism in the HTTP specification for the server to tell the browser to stop sending the credentials that the user already presented   There are  hacks   see other answers  typically involving using XMLHttpRequest to send an HTTP request with incorrect credentials to overwrite the ones originally supplied

User · Answer

Here s a very simple Javascript example using jQuery   function logout to url        var out   window location href replace              log out          jQuery get out  error function             window location   to url              This log user out without showing him the browser log-in box again  then redirect him to a logged out page

User · Answer

Sending https   invalid login hostname works fine everywhere except Safari on Mac  well  not checked Edge but should work there too    Logout doesn t work in Safari when a user selects  remember password  in the HTTP Basic Authentication popup  In this case the password is stored in  Keychain Access  Finder   Applications   Utilities   Keychain Access  or CMD SPACE and type  Keychain Access     Sending https   invalid login hostname doesn t affect Keychain Access  so with this checkbox it is not possible to logout on Safari on Mac  At least it is how it works for me   MacOS Mojave  10 14 6   Safari 12 1 2   The code below works fine for me in Firefox  73   Chrome  80  and Safari  12   When a user navigates to a logout page the code is executed and drops the credentials         It should return 401  necessary for Safari only     const logoutUrl    https   example com logout        const xmlHttp   new XMLHttpRequest        xmlHttp open  POST   logoutUrl  true   logout        xmlHttp send      Also for some reason Safari doesn t save credentials in the HTTP Basic Authentication popup even when the  remember password  is selected  The other browsers do this correctly

User · Answer

Basic Authentication wasn t designed to manage logging out  You can do it  but not completely automatically   What you have to do is have the user click a logout link  and send a    401 Unauthorized    in response  using the same realm and at the same URL folder level as the normal 401 you send requesting a login   They must be directed to input wrong credentials next  eg  a blank username-and-password  and in response you send back a    You have successfully logged out    page  The wrong blank credentials will then overwrite the previous correct credentials   In short  the logout script inverts the logic of the login script  only returning the success page if the user isn t passing the right credentials   The question is whether the somewhat curious    don t enter your password    password box will meet user acceptance  Password managers that try to auto-fill the password can also get in the way here   Edit to add in response to comment  re-log-in is a slightly different problem  unless you require a two-step logout login obviously   You have to reject  401  the first attempt to access the relogin link  than accept the second  which presumably has a different username password   There are a few ways you could do this  One would be to include the current username in the logout link  eg   relogin username   and reject when the credentials match the username

User · Answer

Based on what I read above I got a simple solution that works on any browser   1  on you logout page you call an ajax to your login back end  Your login back end must accept logout user  Once the back end accept  the browser clear the current user and assumes the  logout  user     ajax       async  false      url   http   your login backend       type   GET       username   logout             setTimeout function          window location href    http   normal index      200     2  Now when the user got back to the normal index file it will try to automatic enter in the system with the user  logout   on this second time you must block it by reply with 401 to invoke the login password dialog   3  There are many ways to do that  I created two login back ends  one that accepts the logout user and one that doesn t  My normal login page use the one that doesn t accept  my logout page use the one that accepts it

User · Answer

x000D   x000D      function logout secUrl  redirUrl    x000D          if  bowser msie    x000D              document execCommand  ClearAuthenticationCache    false    x000D            else if  bowser gecko    x000D                ajax   x000D                  async  false  x000D                  url  secUrl  x000D                  type   GET   x000D                  username   logout  x000D                  x000D            else if  bowser webkit    x000D              var xmlhttp   new XMLHttpRequest    x000D              xmlhttp open  GET   secUrl  true   x000D              xmlhttp setRequestHeader  Authorization    Basic logout    x000D              xmlhttp send    x000D            else   x000D              alert  Logging out automatically is unsupported for     bowser name x000D                      nYou must close the browser to log out     x000D            x000D          setTimeout function      x000D              window location href   redirUrl  x000D             200   x000D        x000D   x000D   x000D     I tried using the above in the following way    php     ob start        session start        require once  dbconnect php           if session is not set this will redirect to login page     if   isset   SESSION  user                header  Location  index php            exit               select loggedin users detail      res mysql query  SELECT   FROM users WHERE userId     SESSION  user          userRow mysql fetch array  res     gt   lt  DOCTYPE html gt   lt html gt   lt head gt   lt meta http-equiv  Content-Type  content  text html  charset utf-8    gt   lt title gt Welcome -  lt  php echo  userRow  userEmail      gt  lt  title gt   lt link rel  stylesheet  href  assets css bootstrap min css  type  text css     gt   lt link rel  stylesheet  href  style css  type  text css    gt        lt script src  assets js bowser min js  gt  lt  script gt   lt script gt    function logout secUrl  redirUrl    bowser   require  bowser    function logout secUrl  redirUrl    alert redirUrl       if  bowser msie            document execCommand  ClearAuthenticationCache    false          else if  bowser gecko              ajax               async  false              url  secUrl              type   GET               username   logout                    else if  bowser webkit            var xmlhttp   new XMLHttpRequest            xmlhttp open  GET   secUrl  true           xmlhttp setRequestHeader  Authorization    Basic logout            xmlhttp send          else           alert  Logging out automatically is unsupported for     bowser name                 nYou must close the browser to log out               window location assign redirUrl         setTimeout function              window location href   redirUrl         200         function f1                alert  f1 called             form validation that recalls the page showing with supplied inputs             lt  script gt   lt  head gt   lt body gt        lt nav class  navbar navbar-default navbar-fixed-top  gt         lt div class  container  gt           lt div class  navbar-header  gt             lt button type  button  class  navbar-toggle collapsed  data-toggle  collapse  data-target   navbar  aria-expanded  false  aria-controls  navbar  gt               lt span class  sr-only  gt Toggle navigation lt  span gt               lt span class  icon-bar  gt  lt  span gt               lt span class  icon-bar  gt  lt  span gt               lt span class  icon-bar  gt  lt  span gt             lt  button gt             lt a class  navbar-brand  href  http   www codingcage com  gt Coding Cage lt  a gt           lt  div gt           lt div id  navbar  class  navbar-collapse collapse  gt             lt ul class  nav navbar-nav  gt               lt li class  active  gt  lt a href  http   www codingcage com 2015 01 user-registration-and-login-script-using-php-mysql html  gt Back to Article lt  a gt  lt  li gt               lt li gt  lt a href  http   www codingcage com search label jQuery  gt jQuery lt  a gt  lt  li gt               lt li gt  lt a href  http   www codingcage com search label PHP  gt PHP lt  a gt  lt  li gt             lt  ul gt             lt ul class  nav navbar-nav navbar-right  gt                lt li class  dropdown  gt                 lt a href     class  dropdown-toggle  data-toggle  dropdown  role  button  aria-haspopup  true  aria-expanded  false  gt                 lt span class  glyphicon glyphicon-user  gt  lt  span gt  amp nbsp Hi   lt  php echo  userRow  userEmail      gt  amp nbsp  lt span class  caret  gt  lt  span gt  lt  a gt                 lt ul class  dropdown-menu  gt                   lt li gt  lt a href  logout php logout  gt  lt span class  glyphicon glyphicon-log-out  gt  lt  span gt  amp nbsp Sign Out lt  a gt  lt  li gt                 lt  ul gt               lt  li gt             lt  ul gt           lt  div gt  lt  --  nav-collapse -- gt         lt  div gt       lt  nav gt         lt div id  wrapper  gt        lt div class  container  gt            lt div class  page-header  gt           lt h3 gt Coding Cage - Programming Blog lt  h3 gt           lt  div gt            lt div class  row  gt           lt div class  col-lg-12  id  div logout  gt           lt h1 onclick  logout window location href   www espncricinfo com    gt MichaelA1S1  Click here to see log out functionality upon click inside div lt  h1 gt           lt  div gt           lt  div gt        lt  div gt        lt  div gt        lt script src  assets jquery-1 11 3-jquery min js  gt  lt  script gt       lt script src  assets js bootstrap min js  gt  lt  script gt     lt  body gt   lt  html gt   lt  php ob end flush      gt    But it only redirects you  to new location  No logout

User · Answer

You can do it entirely in JavaScript   IE has  for a long time  standard API for clearing Basic Authentication cache   document execCommand  ClearAuthenticationCache     Should return true when it works  Returns either false  undefined or blows up on other browsers   New browsers  as of Dec 2012  Chrome  FireFox  Safari  have  magic  behavior  If they see a successful basic auth request with any bogus other username  let s say logout  they clear the credentials cache and possibly set it for that new bogus user name  which you need to make sure is not a valid user name for viewing content   Basic example of that is   var p   window location protocol           current location must return 200 OK for this GET window location   window location href replace p  p    logout password      An  asynchronous  way of doing the above is to do an AJAX call utilizing the logout username  Example    function safeLocation       var outcome  u  m    You should be logged out now           IE has a simple solution for it - API      try   outcome   document execCommand  ClearAuthenticationCache    catch e           Other browsers need a larger solution - AJAX call with special user name -  logout       if   outcome               Let s create an xmlhttp object         outcome    function x               if  x                       the reason we use  random  value for password is                     that browsers cache requests  changing                    password effectively behaves like cache-busing                  x open  HEAD   safeLocation    location href  true   logout    new Date    getTime   toString                    x send                        x abort                   return 1    this is   speculative    We are done                  else                   return                          window XMLHttpRequest   new window XMLHttpRequest       window ActiveXObject   new ActiveXObject  Microsoft XMLHTTP     u              if   outcome            m    Your browser is too old or too weird to support log out functionality  Close all windows and restart the browser             alert m         return   outcome      if present URI does not return 200 OK for GET  set some other 200 OK location here      You can make it a bookmarklet too    javascript  function c  var a b  You should be logged out now   try a document execCommand  ClearAuthenticationCache   catch d   a    a window XMLHttpRequest new window XMLHttpRequest window ActiveXObject new ActiveXObject  Microsoft XMLHTTP   void 0   a open  HEAD  c  location href  0  logout   new Date  getTime   toString    a send     a 1  a void 0  a   b  Your browser is too old or too weird to support log out functionality  Close all windows and restart the browser    alert b      pass safeLocation here if you need

User · Answer

Just for the record  there is a new HTTP Response Header called Clear-Site-Data  If your server reply includes a Clear-Site-Data   cookies  header  then the authentication credentials  not only cookies  should be removed  I tested it on Chrome 77 but this warning shows on the console   Clear-Site-Data header on  https   localhost 9443 clear   Cleared data types   cookies   Clearing channel IDs and HTTP authentication cache is currently not supported  as it breaks active network connections    And the auth credentials aren t removed  so this doesn t works  for now  to implement basic auth logouts  but maybe in the future will  Didn t test on other browsers    References   https   developer mozilla org en-US docs Web HTTP Headers Clear-Site-Data  https   www w3 org TR clear-site-data   https   github com w3c webappsec-clear-site-data  https   caniuse com  feat mdn-http headers clear-site-data cookies

User · Answer

I updated mthoring s solution for modern Chrome versions   function logout secUrl  redirUrl        if  bowser msie            document execCommand  ClearAuthenticationCache    false          else if  bowser gecko              ajax               async  false              url  secUrl              type   GET               username   logout                    else if  bowser webkit    bowser chrome            var xmlhttp   new XMLHttpRequest            xmlhttp open   GET    secUrl  true           xmlhttp setRequestHeader   Authorization      Basic logout              xmlhttp send          else      http   stackoverflow com questions 5957822 how-to-clear-basic-authentication-details-in-chrome         redirUrl   url replace  http       http       new Date   getTime                     setTimeout function              window location href   redirUrl         200

User · Answer

I updated mthoring s solution for modern Chrome versions   function logout secUrl  redirUrl        if  bowser msie            document execCommand  ClearAuthenticationCache    false          else if  bowser gecko              ajax               async  false              url  secUrl              type   GET               username   logout                    else if  bowser webkit    bowser chrome            var xmlhttp   new XMLHttpRequest            xmlhttp open   GET    secUrl  true           xmlhttp setRequestHeader   Authorization      Basic logout              xmlhttp send          else      http   stackoverflow com questions 5957822 how-to-clear-basic-authentication-details-in-chrome         redirUrl   url replace  http       http       new Date   getTime                     setTimeout function              window location href   redirUrl         200

User · Answer

function logout url       var str   url replace  http       http       new Date   getTime               var xmlhttp      if  window XMLHttpRequest  xmlhttp new XMLHttpRequest        else xmlhttp new ActiveXObject  Microsoft XMLHTTP        xmlhttp onreadystatechange function                 if  xmlhttp readyState  4  location reload              xmlhttp open  GET  str true       xmlhttp setRequestHeader  Authorization   Basic xxxxxxxxxx       xmlhttp send        return false

User · Answer

Basic Authentication wasn t designed to manage logging out  You can do it  but not completely automatically   What you have to do is have the user click a logout link  and send a    401 Unauthorized    in response  using the same realm and at the same URL folder level as the normal 401 you send requesting a login   They must be directed to input wrong credentials next  eg  a blank username-and-password  and in response you send back a    You have successfully logged out    page  The wrong blank credentials will then overwrite the previous correct credentials   In short  the logout script inverts the logic of the login script  only returning the success page if the user isn t passing the right credentials   The question is whether the somewhat curious    don t enter your password    password box will meet user acceptance  Password managers that try to auto-fill the password can also get in the way here   Edit to add in response to comment  re-log-in is a slightly different problem  unless you require a two-step logout login obviously   You have to reject  401  the first attempt to access the relogin link  than accept the second  which presumably has a different username password   There are a few ways you could do this  One would be to include the current username in the logout link  eg   relogin username   and reject when the credentials match the username

User · Answer

An addition to the answer by bobince      With Ajax you can have your  Logout  link button wired to a Javascript function  Have this function send the XMLHttpRequest with a bad username and password  This should get back a 401  Then set document location back to the pre-login page  This way  the user will never see the extra login dialog during logout  nor have to remember to put in bad credentials

User · Answer

Sending https   invalid login hostname works fine everywhere except Safari on Mac  well  not checked Edge but should work there too    Logout doesn t work in Safari when a user selects  remember password  in the HTTP Basic Authentication popup  In this case the password is stored in  Keychain Access  Finder   Applications   Utilities   Keychain Access  or CMD SPACE and type  Keychain Access     Sending https   invalid login hostname doesn t affect Keychain Access  so with this checkbox it is not possible to logout on Safari on Mac  At least it is how it works for me   MacOS Mojave  10 14 6   Safari 12 1 2   The code below works fine for me in Firefox  73   Chrome  80  and Safari  12   When a user navigates to a logout page the code is executed and drops the credentials         It should return 401  necessary for Safari only     const logoutUrl    https   example com logout        const xmlHttp   new XMLHttpRequest        xmlHttp open  POST   logoutUrl  true   logout        xmlHttp send      Also for some reason Safari doesn t save credentials in the HTTP Basic Authentication popup even when the  remember password  is selected  The other browsers do this correctly

[http] How to log out user from web site using BASIC authentication?

Examples related to http

Examples related to authentication

Examples related to basic-authentication