?
Solved

logout from htaccess login

Posted on 2005-03-13
17
Medium Priority
?
7,278 Views
Last Modified: 2009-07-29
Hi,

I have logged into a directory on my site which is password protected but I want to put a "logout" button on my site to remove the username/password that was used (for example: I want to login with a different name).

I cannot use "http://dummy:dummy@www.domain.com/byebye.html" as a link because Microsoft has blocked the use of username and password in the URL.

Does anyone know of another way to do it?

Regards,

TC
0
Comment
Question by:tchurch
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 3
  • +2
17 Comments
 
LVL 30

Expert Comment

by:GrandSchtroumpf
ID: 13531126
there is no logout procedure for htaccess.
0
 
LVL 30

Expert Comment

by:GrandSchtroumpf
ID: 13531161
actually, there is no real login procedure either in the sense that there is no session.
the htaccess requires username/password for each http request (like viewing 2 different pages in the same directory).  but your user agent (browser) is smart and it remembers the username/password you just entered, so it automatically sends it with all requests.
if you want to login with a new username/password, you probably need to restart your browser.
0
 
LVL 5

Expert Comment

by:dougday
ID: 13539644
Are you using a serverside language like PHP or Perl?  If so, you should be able to logout -- I've implemented such a system before.

-Doug
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:tchurch
ID: 13541983
Hi Doug,

I am using PHP on the serverside but am not using PHP for login/logout.
I have a user table in my MySQL database already (for some forum PHP scripts I downloaded) so I would consider switching to PHP login/logout if it's better.

Thanks

TC
0
 
LVL 30

Expert Comment

by:GrandSchtroumpf
ID: 13543170
PHP login/logout is not better, it's different.  But it's definitely more flexible than htaccess.
Can you explain why you want to logout?
The main problem with htaccess is that there is neither logout nor session expire timeout, so, if you leave your computer without closing the browser, anybody can come and access your protected pages.
Using htaccess is perfectly fine in some cases, but not in others.
Please explain your context.
0
 
LVL 5

Expert Comment

by:dougday
ID: 13544607
Agreed.  htaccess has its drawbacks.  But the ease of use can make it more tempting than php logins/logouts.

The main problem I've found with using PHP for your security is that it doesn't protect at the directory level.  Anyone knowing a direct URL to your content can access it whether or not you give them permission to do so, as long as your content is in your web space.

So, you'll want to decide if it's worth moving to PHP logins, or to try to work with the drawbacks of htaccess.  If it were me, I'd say that if this is a "big" site, and you want to put a little extra effort into making it work as best you can, use PHP logins.  If you need something fast and fairly simple, htaccess would probably be better.

So, here's how it would work:

If you used PHP for logins:
    - Move all your sensitive files, things that will require a login, *outside* of your web space, so you can't simply just access them via a URL.
    - Use a script to handle access to your pages -- there are lots out there, especially for MySQL.  Try http://www.hotscripts.com/.
    - Use special scripts to "pass through" your sensitive files to your users while maintaining security.  So, for images, you'll use something like this:  <img src="img.php?id=16" alt="" />.  Img.php would check the user's credentials to make sure they have the rights to view image 16, and then pass it directly to their browser.

If you still want to do htaccess, I'm pretty sure you can logout of htaccess FROM php -- let me look into that (I had something like this running in one of my previous projects).

If you keep htaccess:
    - Look into mod_auth_mysql.  It is pretty handy for authenticating your users from MySQL using htaccess.  Here's the URL: http://modauthmysql.sourceforge.net/

-Doug
0
 
LVL 30

Expert Comment

by:GrandSchtroumpf
ID: 13545055
> If you still want to do htaccess, I'm pretty sure you can logout of htaccess FROM php
I'm pretty sure you cannot do it.  But i'm not a htaccess expert ;-)
As i said in my previous post, it's the user agent that caches the authentication.  Otherwise every single http request would ask for autentication again.

PHP is on the server-side, so i don't see how it can modify the cached autentication on the client side.  What PHP can do is to change the content of .htaccess/.htpassword to make the previous authentication not valid (i.e. comment the username:password line)...  but then a mechanism should be implemented to remove that comment when the user does a new login.

dougday, i'm very currious to see what you come up with.  maybe php can issue a special command to the browser telling it to erase the cached authentication.
0
 
LVL 5

Accepted Solution

by:
dougday earned 500 total points
ID: 13545154
Well, technically you cannot really "logout" from htaccess, but you can force authentication again.  To me it's just as effective.  I just tested it -- here's what worked for me:

Create a logout.php script that contains the following:

<?php

session_start();

if ($_SESSION["logout"]) {
    $_SESSION["logout"] = false;
    header('Location: index.php'); // Change index.php to your main page (if it's not already).
}
else {
    header('HTTP/1.0 401 Unauthorised');
    header('WWW-Authenticate: Basic realm="MyRealm"'); // Change MyRealm to be the same as AuthName in .htaccess
    $_SESSION["logout"] = true;
}

?>

Then to force someone to provide different credentials just point them to that page.

Let me know if that works for you,
-Doug
0
 
LVL 5

Expert Comment

by:dougday
ID: 13545982
Apparently for a "clean" and actual htaccess logout, it would require tinkering with the actual apache server code.  Here's a discussion about it:  http://www.aota.net/forums/archive/index.php/t-5146.html

I wonder if someone somewhere has written a mod to handle that?
-Doug
0
 

Expert Comment

by:webdog_oregon
ID: 25742840
So I am trying the same thing. If I understand this correctly. I should place a link on the main page of the protected directory that says "logout" and have that link to a page named logout.php with this script in it.

<?php

session_start();

if ($_SESSION["logout"]) {
    $_SESSION["logout"] = false;
    header('Location: index.php'); // Change index.php to your main page (if it's not already).
}
else {
    header('HTTP/1.0 401 Unauthorised');
    header('WWW-Authenticate: Basic realm="MyRealm"'); // Change MyRealm to be the same as AuthName in .htaccess
    $_SESSION["logout"] = true;
}

?>


Is that correct?
0
 
LVL 5

Expert Comment

by:dougday
ID: 25742908
LOL, it's been 4 years since I've looked at it, but yes, that appears correct to me.  :)
0
 

Expert Comment

by:webdog_oregon
ID: 25745827
Cant get it to work. should I post it as a new question?
0
 
LVL 75

Expert Comment

by:Michel Plungjan
ID: 25747313
Yes, please open a new one
0
 

Expert Comment

by:webdog_oregon
ID: 25751605
I will but for now what I did is placed a javascript "close window" button on the page and the button to read "Log Out". Below the button I put an explanation that logging out would close the window and to be sure to log out before leaving. Simple but should work for our needs. Does not work in Firefox though
0
 
LVL 75

Expert Comment

by:Michel Plungjan
ID: 25751761
In what way not?

0

Featured Post

Secure Your WordPress Site: 5 Essential Approaches

WordPress is the web's most popular CMS, but its dominance also makes it a target for attackers. Our eBook will show you how to:

Prevent costly exploits of core and plugin vulnerabilities
Repel automated attacks
Lock down your dashboard, secure your code, and protect your users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The article shows the basic steps of integrating an HTML theme template into an ASP.NET MVC project
Q&A with Course Creator, Mark Lassoff, on the importance of HTML5 in the career of a modern-day developer.
In this tutorial viewers will learn how to embed Flash content in a webpage using HTML5. Ensure your DOCTYPE declaration is set to HTML5: "<!DOCTYPE html>": Use the <object> tag to embed Flash content.: To specify that the object is Flash content, d…
Video by: Mark
This lesson goes over how to construct ordered and unordered lists and how to create hyperlinks.
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question