Basic Auth: force browser to ask password again

I'm a Chinese programmer in Singapore, in need of expert advice.

First let me describe "Basic Auth" because it is known by many names to many people. (Skip to "The Problem" if you know what I mean.) If I protect a URL with HTTP Basic Authentification (through .htaccess in Apache), then the browswer will pop up a dialog box requesting password whenever someone accesses the URL.

[  The Problem  ]        How to force browser to request credential again. Once a credential is accepted, browser will send it to other URL's on the same site. The only way to force browser to pop up the dialog box is: close the browser and restart a new browser.

[  Solutions that don't work  ]        I used client-side javascript to close all my browser windows and "" a new browser window, but the new window remembers the credential and therefore doesn't ask. In stead of "", I also tried <a href='some.html' target=new_window>.

Browser used: MSIE 5
OS: win98
Who is Participating?
mouattsConnect With a Mentor Commented:
Ok I'm not to hot on what Appache can and can't do but if I tell you what you would need to do then prehaps someone else can help as to whether appache can actually do it.

When a request is made to a server with basic authentication turned on its sends a response as below

WWW_Authenticate: Basic realm="myrealm"

The browser will prompt the user and will return a message that includes the username and password.

All subsequent requests to the server will send the username and password within the message.

Now to force a redisplay of the prompt your server will need to send a 401 message along with the authenticate message above.

Now I suspect that the browser may think well I already know the username and password for this realm so it will not prompt the user. (This is worth checking though)

Assuming that to be the case you will need to send a different realm name out when when you send the 401.

What I'm not sure of is how appache associates the realms with the usernames that it holds and whether it can handle multiple realms in this way.


What you are trying to do (if I understand it correctly) is force the browser to do something it is simply not supposed to do. Once the browser has the credentials for a realm and those credentials are valid for a set of urls, it is by design supposed to hold onto those credentials and as long as the server accepts them as valid it is supposed to allow the browser to access those urls.

You seem to be saying that you want to somehow force the browser to drop its credentials even when they are still valid for a given url. This makes no sense to me. It is the _server_ that causes the browser to ask the user for their credentials, the browser has absolutely no control over this. And if the browser already has valid credentials for a given url, i.e. the user is on the Access list for said url, there is simply no logical reason to make the browser ask for them again.

If you want the users credentials to become invalidated, all you have to do is remove said user from the Access list for those urls. Once they are no longer on the Access list they will immediately get a 401 and the browser will ask the user for new credentials. This is how the system is designed to work, there isnt much point in trying to force it to act differently.

Could you possibly explain _why_ you are trying to do what you are describing? I ask because it may be more effective for us to try and come up with a different way to acheive the same goal here...

eng40490Author Commented:
LOGOUT is what i want. The client machines are shared. Once User Alice logs out, we want the browser to "forget" the credentials, so that User Bob can't go in without password.

My partners do not like cookies, so we use Basic Auth.

Thanks to Steve and Heath, we now have 3 directions to explore:
1) close browser window and all parents/children windows
2) modify Realm in .htaccess
3) modify account in AuthUserFile

For (2), please remember we have other users, perhaps in a login session. The new realm should apply to only the user who has logged out and who try to come in again.
Never miss a deadline with

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

Read this page:

It outlines some peoples attempts to do what you are describing on Apache with PHP... But note that all suggested ways to implement a "logout" feature that I have seen for BasicAuth were implemented server side by basically the same method that mouatts suggested, change the realm and send a 401. It has to be done very carefully to ensure the desired response from the user agent, and even then it isnt 100% effective but it does work for the most common user agents.

I dont see any way you could reliably do this client-side by closing the windows, it would be MUCH more reliable to do it server-side. I also wouldnt bother with trying to modify the account in the Access List. Now that I understand what you are trying to accomplish, that was a bad suggestion.

I still question the approach you are taking though. If a user wants to logout, which I assume you want to occur so that they can log in again with different credentials, then you shouldnt use BasicAuth in my opinion. Also, if you are somehow trying to force a logout to simulate session expiration, then again you shouldn't use BasicAuth. It simply isnt designed to work that way.

It would be far more effective and reliable to roll-your-own authentication scheme and use cookies to store the credentials. Then you could clear them from client-side OR server-side pretty much at will. You could expire them so that if someone leaves a browser window open they will get logged out automatically. You could also persist the users credentials so that they dont have to login at all once the cookie is stored. Point is it is a much more flexible and reliable method to implement a login/logout system.

Chandramouli kArchitectCommented:
<->I also tried <a href='some.html' target=new_window>.

target=newwin seems to be right. but i have never tried with target=new_window

Use any target name except (_blank,_self,_top etc) and you will either create a new window or use an existing one of that name.

ahosangFinance Systems DeveloperCommented:
This question has been abandoned. I will make a recommendation to the moderators on its resolution in a week or so. I appreciate any comments that would help me to make a recommendation.
In the absence of responses, I may recommend DELETE unless it is clear to me that it has value as a PAQ. Silence = you don't care
ahosangFinance Systems DeveloperCommented:
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:

split - mouatts/heathprovost
Please leave any comments here within the next seven days.
EE Cleanup Volunteer
As recommended

Points for heathprovost at

Community Support Moderator @Experts Exchange
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.