Basic Auth: force browser to ask password again

Posted on 2002-06-14
Last Modified: 2012-05-04
I'm a Chinese programmer in Singapore, in need of expert advice.

First let me describe "Basic Auth" because it is known by many names to many people. (Skip to "The Problem" if you know what I mean.) If I protect a URL with HTTP Basic Authentification (through .htaccess in Apache), then the browswer will pop up a dialog box requesting password whenever someone accesses the URL.

[  The Problem  ]        How to force browser to request credential again. Once a credential is accepted, browser will send it to other URL's on the same site. The only way to force browser to pop up the dialog box is: close the browser and restart a new browser.

[  Solutions that don't work  ]        I used client-side javascript to close all my browser windows and "" a new browser window, but the new window remembers the credential and therefore doesn't ask. In stead of "", I also tried <a href='some.html' target=new_window>.

Browser used: MSIE 5
OS: win98
Question by:eng40490
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +3
LVL 11

Accepted Solution

mouatts earned 250 total points
ID: 7078963
Ok I'm not to hot on what Appache can and can't do but if I tell you what you would need to do then prehaps someone else can help as to whether appache can actually do it.

When a request is made to a server with basic authentication turned on its sends a response as below

WWW_Authenticate: Basic realm="myrealm"

The browser will prompt the user and will return a message that includes the username and password.

All subsequent requests to the server will send the username and password within the message.

Now to force a redisplay of the prompt your server will need to send a 401 message along with the authenticate message above.

Now I suspect that the browser may think well I already know the username and password for this realm so it will not prompt the user. (This is worth checking though)

Assuming that to be the case you will need to send a different realm name out when when you send the 401.

What I'm not sure of is how appache associates the realms with the usernames that it holds and whether it can handle multiple realms in this way.



Expert Comment

ID: 7079791
What you are trying to do (if I understand it correctly) is force the browser to do something it is simply not supposed to do. Once the browser has the credentials for a realm and those credentials are valid for a set of urls, it is by design supposed to hold onto those credentials and as long as the server accepts them as valid it is supposed to allow the browser to access those urls.

You seem to be saying that you want to somehow force the browser to drop its credentials even when they are still valid for a given url. This makes no sense to me. It is the _server_ that causes the browser to ask the user for their credentials, the browser has absolutely no control over this. And if the browser already has valid credentials for a given url, i.e. the user is on the Access list for said url, there is simply no logical reason to make the browser ask for them again.

If you want the users credentials to become invalidated, all you have to do is remove said user from the Access list for those urls. Once they are no longer on the Access list they will immediately get a 401 and the browser will ask the user for new credentials. This is how the system is designed to work, there isnt much point in trying to force it to act differently.

Could you possibly explain _why_ you are trying to do what you are describing? I ask because it may be more effective for us to try and come up with a different way to acheive the same goal here...


Author Comment

ID: 7080048
LOGOUT is what i want. The client machines are shared. Once User Alice logs out, we want the browser to "forget" the credentials, so that User Bob can't go in without password.

My partners do not like cookies, so we use Basic Auth.

Thanks to Steve and Heath, we now have 3 directions to explore:
1) close browser window and all parents/children windows
2) modify Realm in .htaccess
3) modify account in AuthUserFile

For (2), please remember we have other users, perhaps in a login session. The new realm should apply to only the user who has logged out and who try to come in again.
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI


Expert Comment

ID: 7080138
Read this page:

It outlines some peoples attempts to do what you are describing on Apache with PHP... But note that all suggested ways to implement a "logout" feature that I have seen for BasicAuth were implemented server side by basically the same method that mouatts suggested, change the realm and send a 401. It has to be done very carefully to ensure the desired response from the user agent, and even then it isnt 100% effective but it does work for the most common user agents.

I dont see any way you could reliably do this client-side by closing the windows, it would be MUCH more reliable to do it server-side. I also wouldnt bother with trying to modify the account in the Access List. Now that I understand what you are trying to accomplish, that was a bad suggestion.

I still question the approach you are taking though. If a user wants to logout, which I assume you want to occur so that they can log in again with different credentials, then you shouldnt use BasicAuth in my opinion. Also, if you are somehow trying to force a logout to simulate session expiration, then again you shouldn't use BasicAuth. It simply isnt designed to work that way.

It would be far more effective and reliable to roll-your-own authentication scheme and use cookies to store the credentials. Then you could clear them from client-side OR server-side pretty much at will. You could expire them so that if someone leaves a browser window open they will get logged out automatically. You could also persist the users credentials so that they dont have to login at all once the cookie is stored. Point is it is a much more flexible and reliable method to implement a login/logout system.


Expert Comment

ID: 7080199
<->I also tried <a href='some.html' target=new_window>.

target=newwin seems to be right. but i have never tried with target=new_window

LVL 11

Expert Comment

ID: 7080281
Use any target name except (_blank,_self,_top etc) and you will either create a new window or use an existing one of that name.

LVL 12

Expert Comment

ID: 8285368
This question has been abandoned. I will make a recommendation to the moderators on its resolution in a week or so. I appreciate any comments that would help me to make a recommendation.
In the absence of responses, I may recommend DELETE unless it is clear to me that it has value as a PAQ. Silence = you don't care
LVL 12

Expert Comment

ID: 8357016
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:

split - mouatts/heathprovost
Please leave any comments here within the next seven days.
EE Cleanup Volunteer

Expert Comment

ID: 8404985
As recommended

Points for heathprovost at

Community Support Moderator @Experts Exchange

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: DanRollins
This article describes a JavaScript program that creates a maze made of hexagonal cells.  In Part 2 (, we'll extend the program by adding a depth-…
JavaScript can be used in a browser to change parts of a webpage dynamically. It begins with the following pattern: If condition W is true, do thing X to target Y after event Z. Below are some tips and tricks to help you get started with JavaScript …
The viewer will learn the basics of jQuery, including how to invoke it on a web page. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery.: (CODE)
The viewer will learn the basics of jQuery including how to code hide show and toggles. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery…
Suggested Courses

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question