Richard Lynch wrote:
dpgirago@xxxxxxxxxxxxxx wrote:
I can't remember where the example below came from, but the event handler
for the 're-authenticate' button doesn't allow a re-authentication
/**********************************************************************
* reset event handler does not work as expected *
**********************************************************************/
if(IsSet($_POST['authenticator']) && $_POST['authenticator'])
{
unset($qualifiedUsers);
unset($qualifiedPasswords);
unset($_SERVER['PHP_AUTH_USER']);
unset($_SERVER['PHP_AUTH_PW']);
unset($_POST['authenticator']);
Remember how these values come in to this point:
The *BROWSER* remembers your login credentials, and re-sends them with
each request.
unset($_SERVER['PHP_AUTH_USER']);
is kinda pointless.
It will unset() it for this script, but the browser is gonna re-send them
on the next page hit.
doesn't the browser only send the AUTH_USER & AUTH_PW if it gets
the WWW-Authenticate header?
Ain't no way to make it *NOT* send them, cuz the HTTP spec didn't plan for
that. Sorry.
What you gotta do is change the REALM out from under them.
In other words, if user X is logged in with HTTP Basic authentication, and
you want to log them out, from that moment forward, send:
header('WWW-Authenticate: Basic realm="Some other Realm"');
So you'll need to track "used" realms, or perhaps keep a $counter going
for each user, and when they log out, "Whammo" change the Realm out from
under them.
At least, that's how I was told to do it.
Somebody said there was a way to log somebody out with other headers, but
I always forget what it is...
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
