How to logout when using .htaccess (and .htpasswd) authentication? [duplicate]

L

4

34

Possible Duplicate:
HTTP authentication logout via PHP

Hi

I have a some functionality on my website protected using .htaccess and .htpasswd. When users attempt to access this, they get prompt to enter details. They enter their details and get in and can see stuff etc. All works fine.

My question is how do I create a logout functionality for this type of authentication. I know that they can close the browser window to "Logout". But this is not ideal. What would you suggest to me?

Thanks.

Longfaced answered 22/7, 2009 at 8:33 Comment(3)

Has been asked before, e.g. see #450288 – Kunzite 22/7, 2009 at 8:44

There isn't any kind of implementation without writing few lines to remove the session, or reset the headers. Try the straight forward approach. blog.acpmasquerade.com/2011/09/… – Goss 6/9, 2011 at 13:44

This one is not really a duplicate of the question #450288 ; the latter is not very specific about the authentification method, whereas the question here is about .htaccess and .htpasswd. In this sense this question here has a more precise wording. – Bonilla 17/10, 2019 at 17:5

C

33

Browsers usually don't support this, see How do I log out?

Since browsers first started implementing basic authentication, website administrators have wanted to know how to let the user log out. Since the browser caches the username and password with the authentication realm, as described earlier in this tutorial, this is not a function of the server configuration, but is a question of getting the browser to forget the credential information, so that the next time the resource is requested, the username and password must be supplied again. There are numerous situations in which this is desirable, such as when using a browser in a public location, and not wishing to leave the browser logged in, so that the next person can get into your bank account.

However, although this is perhaps the most frequently asked question about basic authentication, thus far none of the major browser manufacturers have seen this as being a desirable feature to put into their products.

Consequently, the answer to this question is, you can't. Sorry.

There are browser extensions that allow you to clear the HTTP authentication for a site. For Firefox the WebDeveloper extension (which is one of my favourtie extensions anyway) offers this feature. The menu for this is Miscellaneous/Clear Private Data/HTTP Authentication.

Courtroom answered 22/7, 2009 at 8:35 Comment(1)

Firefox's default way of logging out of HTTP auth is available under "Tools" > "Clear Recent History...", as checkbox "Active Logins". This is neither intuitive nor does it allow you to only log out of one domain, you allways log out of every page. – Chacma 28/4, 2011 at 13:12

H

35

Tested on firefox and chrome. What you can do is send the user to http://logout:[email protected]. This will replace their current username/password with logout/logout (it could be any invalid user/pass combination) and since they now have the wrong username/password, they will have to login again to access the site.

On opera this does not work, because you can have several usernames/passwords at the same time. It didn't work on IE either, because IE does not appear to support http://username:[email protected] URLs.

Hiramhirasuna answered 22/7, 2009 at 8:38 Comment(6)

According to RFC 3986 (URI: Generic Syntax) section 3.2.1. (User Information) the use of user:password@host is deprecated. Using only http://[email protected]/ isn't and should work in most cases. – Chacma 28/4, 2011 at 13:9

this worked for me in chrome today, great stuff, thanks guys! – Nasion 4/10, 2014 at 13:49

I confirm that this works in Chrome as well, thank a lot! – Karolinekaroly 17/2, 2015 at 10:27

On Chrome 45, after logging out and logging in again, prompt is always popping-up... – Machinery 12/9, 2015 at 10:48

Do note that this solution is not necessarily future-proof. A browser can - at any time - decide to start supporting multiple active logins or some other feature that breaks this. – Weinman 6/2, 2017 at 13:12

This looks like working but once you refresh the page you might login again with previous account. I have seen that in Chrome. – Ardehs 4/6, 2018 at 5:38

C

33

Browsers usually don't support this, see How do I log out?

Since browsers first started implementing basic authentication, website administrators have wanted to know how to let the user log out. Since the browser caches the username and password with the authentication realm, as described earlier in this tutorial, this is not a function of the server configuration, but is a question of getting the browser to forget the credential information, so that the next time the resource is requested, the username and password must be supplied again. There are numerous situations in which this is desirable, such as when using a browser in a public location, and not wishing to leave the browser logged in, so that the next person can get into your bank account.

However, although this is perhaps the most frequently asked question about basic authentication, thus far none of the major browser manufacturers have seen this as being a desirable feature to put into their products.

Consequently, the answer to this question is, you can't. Sorry.

There are browser extensions that allow you to clear the HTTP authentication for a site. For Firefox the WebDeveloper extension (which is one of my favourtie extensions anyway) offers this feature. The menu for this is Miscellaneous/Clear Private Data/HTTP Authentication.

Courtroom answered 22/7, 2009 at 8:35 Comment(1)

Firefox's default way of logging out of HTTP auth is available under "Tools" > "Clear Recent History...", as checkbox "Active Logins". This is neither intuitive nor does it allow you to only log out of one domain, you allways log out of every page. – Chacma 28/4, 2011 at 13:12

S

3

I ran into this issue several years ago. It is incredibly frustrating to discover there is a problem everyone is having and no one seems to want to solve in a general way.

As noted in Inadequate Logout functionality in HTTP Authentication I think the answer is to change the RFC to allow timeouts and support a log out button. The author's additional suggestion that the server be able to send a "log out" header would actually eliminate the need for any client user agent support since websites could simply include a link on a web page to a URL that returns the necessary response code and/or header to invalidate the current session.

Simms answered 22/7, 2009 at 16:27 Comment(0)

M

1

It IS kind of possible to log out. You should implement logout page, which will return HTTP 401, until the user enter BAD login information, and then redirect somewhere else. Browser remembers the latest login information accepted, and therefore overrides correct login.

But this is kinda unusable, cos it needs user's cooperation.

Matadi answered 22/7, 2009 at 9:40 Comment(0)

Recommended topics

Hot tags