I am currently working on an api which contains repositories. And I'm stuck on a PHP feature.
Overall, we have tables that are open for everyone to read so no worries and other tables that contain sensitive information and therefore require authentication. We went through basic authentication. When a table is closed, the browser will ask for a username and password. The first time it works fine.
However when the same person wants to go to another table that requires a different username and password, the browser does not offer to enter a username and password again. As a result, it does not work because it will use the username and password provided the first time and since it is not the correct ones, the API will refuse its display. Which is normal but annoying.
If the person wants to access another resource, they are obliged to either close their browser entirely and then reopen it or open a private browsing page. So I wanted to know if there was a way to tell the browser not to store login information.
I already tried header(Cache-Control: no-cache); but it doesn't work. Here is part of the code in question:
// We check the authentication
if (!isset($_SERVER['PHP_AUTH_USER'])) {
// If no user specified, authentication is requested
header('WWW-Authenticate: Basic realm="API"');
// the user will be prompted to enter his username and password from a pop-up
// If he clicks on Cancel, he will see this access denied message.
sendErrorResponse(401,"Unauthorized","Access denied. You did not enter a password");
} else {
// We retrieve the authentication information from the database
$username = pg_escape_string($_SERVER['PHP_AUTH_USER']);
$query = "SELECT password, token, role FROM api_information.users WHERE username = '$username'";
$result = pg_query($conn, $query);
if ($result === false) {
sendErrorResponse(500,"InternalServerError","Error connecting to database");
}
I hope my explanation is understandable enough. Good day.
