• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 7388
  • Last Modified:

logout from htaccess login

Hi,

I have logged into a directory on my site which is password protected but I want to put a "logout" button on my site to remove the username/password that was used (for example: I want to login with a different name).

I cannot use "http://dummy:dummy@www.domain.com/byebye.html" as a link because Microsoft has blocked the use of username and password in the URL.

Does anyone know of another way to do it?

Regards,

TC
0
tchurch
Asked:
tchurch
  • 5
  • 4
  • 3
  • +2
1 Solution
 
GrandSchtroumpfCommented:
there is no logout procedure for htaccess.
0
 
GrandSchtroumpfCommented:
actually, there is no real login procedure either in the sense that there is no session.
the htaccess requires username/password for each http request (like viewing 2 different pages in the same directory).  but your user agent (browser) is smart and it remembers the username/password you just entered, so it automatically sends it with all requests.
if you want to login with a new username/password, you probably need to restart your browser.
0
 
dougdayCommented:
Are you using a serverside language like PHP or Perl?  If so, you should be able to logout -- I've implemented such a system before.

-Doug
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
tchurchAuthor Commented:
Hi Doug,

I am using PHP on the serverside but am not using PHP for login/logout.
I have a user table in my MySQL database already (for some forum PHP scripts I downloaded) so I would consider switching to PHP login/logout if it's better.

Thanks

TC
0
 
GrandSchtroumpfCommented:
PHP login/logout is not better, it's different.  But it's definitely more flexible than htaccess.
Can you explain why you want to logout?
The main problem with htaccess is that there is neither logout nor session expire timeout, so, if you leave your computer without closing the browser, anybody can come and access your protected pages.
Using htaccess is perfectly fine in some cases, but not in others.
Please explain your context.
0
 
dougdayCommented:
Agreed.  htaccess has its drawbacks.  But the ease of use can make it more tempting than php logins/logouts.

The main problem I've found with using PHP for your security is that it doesn't protect at the directory level.  Anyone knowing a direct URL to your content can access it whether or not you give them permission to do so, as long as your content is in your web space.

So, you'll want to decide if it's worth moving to PHP logins, or to try to work with the drawbacks of htaccess.  If it were me, I'd say that if this is a "big" site, and you want to put a little extra effort into making it work as best you can, use PHP logins.  If you need something fast and fairly simple, htaccess would probably be better.

So, here's how it would work:

If you used PHP for logins:
    - Move all your sensitive files, things that will require a login, *outside* of your web space, so you can't simply just access them via a URL.
    - Use a script to handle access to your pages -- there are lots out there, especially for MySQL.  Try http://www.hotscripts.com/.
    - Use special scripts to "pass through" your sensitive files to your users while maintaining security.  So, for images, you'll use something like this:  <img src="img.php?id=16" alt="" />.  Img.php would check the user's credentials to make sure they have the rights to view image 16, and then pass it directly to their browser.

If you still want to do htaccess, I'm pretty sure you can logout of htaccess FROM php -- let me look into that (I had something like this running in one of my previous projects).

If you keep htaccess:
    - Look into mod_auth_mysql.  It is pretty handy for authenticating your users from MySQL using htaccess.  Here's the URL: http://modauthmysql.sourceforge.net/

-Doug
0
 
GrandSchtroumpfCommented:
> If you still want to do htaccess, I'm pretty sure you can logout of htaccess FROM php
I'm pretty sure you cannot do it.  But i'm not a htaccess expert ;-)
As i said in my previous post, it's the user agent that caches the authentication.  Otherwise every single http request would ask for autentication again.

PHP is on the server-side, so i don't see how it can modify the cached autentication on the client side.  What PHP can do is to change the content of .htaccess/.htpassword to make the previous authentication not valid (i.e. comment the username:password line)...  but then a mechanism should be implemented to remove that comment when the user does a new login.

dougday, i'm very currious to see what you come up with.  maybe php can issue a special command to the browser telling it to erase the cached authentication.
0
 
dougdayCommented:
Well, technically you cannot really "logout" from htaccess, but you can force authentication again.  To me it's just as effective.  I just tested it -- here's what worked for me:

Create a logout.php script that contains the following:

<?php

session_start();

if ($_SESSION["logout"]) {
    $_SESSION["logout"] = false;
    header('Location: index.php'); // Change index.php to your main page (if it's not already).
}
else {
    header('HTTP/1.0 401 Unauthorised');
    header('WWW-Authenticate: Basic realm="MyRealm"'); // Change MyRealm to be the same as AuthName in .htaccess
    $_SESSION["logout"] = true;
}

?>

Then to force someone to provide different credentials just point them to that page.

Let me know if that works for you,
-Doug
0
 
dougdayCommented:
Apparently for a "clean" and actual htaccess logout, it would require tinkering with the actual apache server code.  Here's a discussion about it:  http://www.aota.net/forums/archive/index.php/t-5146.html

I wonder if someone somewhere has written a mod to handle that?
-Doug
0
 
webdog_oregonCommented:
So I am trying the same thing. If I understand this correctly. I should place a link on the main page of the protected directory that says "logout" and have that link to a page named logout.php with this script in it.

<?php

session_start();

if ($_SESSION["logout"]) {
    $_SESSION["logout"] = false;
    header('Location: index.php'); // Change index.php to your main page (if it's not already).
}
else {
    header('HTTP/1.0 401 Unauthorised');
    header('WWW-Authenticate: Basic realm="MyRealm"'); // Change MyRealm to be the same as AuthName in .htaccess
    $_SESSION["logout"] = true;
}

?>


Is that correct?
0
 
dougdayCommented:
LOL, it's been 4 years since I've looked at it, but yes, that appears correct to me.  :)
0
 
webdog_oregonCommented:
Cant get it to work. should I post it as a new question?
0
 
Michel PlungjanIT ExpertCommented:
Yes, please open a new one
0
 
webdog_oregonCommented:
I will but for now what I did is placed a javascript "close window" button on the page and the button to read "Log Out". Below the button I put an explanation that logging out would close the window and to be sure to log out before leaving. Simple but should work for our needs. Does not work in Firefox though
0
 
Michel PlungjanIT ExpertCommented:
In what way not?

0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 5
  • 4
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now