dpgirago@xxxxxxxxxxxxxx wrote:
> I can't remember where the example below came from, but the event handler
> for the 're-authenticate' button doesn't allow a re-authentication
> /**********************************************************************
> * reset event handler does not work as expected *
> **********************************************************************/
> if(IsSet($_POST['authenticator']) && $_POST['authenticator'])
> {
> unset($qualifiedUsers);
> unset($qualifiedPasswords);
> unset($_SERVER['PHP_AUTH_USER']);
> unset($_SERVER['PHP_AUTH_PW']);
> unset($_POST['authenticator']);
Remember how these values come in to this point:
The *BROWSER* remembers your login credentials, and re-sends them with
each request.
unset($_SERVER['PHP_AUTH_USER']);
is kinda pointless.
It will unset() it for this script, but the browser is gonna re-send them
on the next page hit.
Ain't no way to make it *NOT* send them, cuz the HTTP spec didn't plan for
that. Sorry.
What you gotta do is change the REALM out from under them.
In other words, if user X is logged in with HTTP Basic authentication, and
you want to log them out, from that moment forward, send:
header('WWW-Authenticate: Basic realm="Some other Realm"');
So you'll need to track "used" realms, or perhaps keep a $counter going
for each user, and when they log out, "Whammo" change the Realm out from
under them.
At least, that's how I was told to do it.
Somebody said there was a way to log somebody out with other headers, but
I always forget what it is...
--
Like Music?
http://l-i-e.com/artists.htm
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
