4

Okay so I'm not using any session variables, rather my code looks like this:

if (!isset($_SERVER['PHP_AUTH_USER'])) {
    header('WWW-Authenticate: Basic realm="Enter your Twitter username and password:"');
    header('HTTP/1.0 401 Unauthorized');
    echo 'Please enter your Twitter username and password to view your followers.';
    exit();
}

$username = $_SERVER['PHP_AUTH_USER'];
$password = $_SERVER['PHP_AUTH_PW'];

So, my question is, how can I destroy this login session when the user wants to sign out of their (in this case) twitter login credentials?

VolkerK
  • 95,432
  • 20
  • 163
  • 226
Patrick C
  • 739
  • 3
  • 12
  • 25
  • 1
    same question, same answers at http://stackoverflow.com/questions/449788/http-authentication-logout-via-php – VolkerK Jul 01 '09 at 00:28

2 Answers2

7

There is no way to destroy an http authentication login server side. This is one of the biggest disadvantages of this form of login.

MitMaro
  • 5,607
  • 6
  • 28
  • 52
4

All you can do is to send another 401 header. The browser will usually "forget" the old value, pop up another user/pass input dialog and if users then press the "abort" button they are "logged out". Two drawbacks:

  • The "abort the login to logout" dialog may surprise users a bit
  • "usually" means: better not depend on it.

edit: And has already been answered, HTTP authentication logout via PHP

Community
  • 1
  • 1
VolkerK
  • 95,432
  • 20
  • 163
  • 226
  • This plus other possible methods are mentioned in the comments of the php manual. However like you said they are not guaranteed to work. Link: http://us3.php.net/manual/en/features.http-auth.php#76511 – MitMaro Jul 01 '09 at 00:20