Olaf Greve wrote:
Hi all,
Alright: here's a bit of a "challenge" (so as to avoid the word "issue")
;) my colleagues have run into previously: how to kill HTTP
authentication...
I remember that they never did figure that one out, and I too will now
have to get my hands dirty with trying to find a proper way to do so.
Simply unsetting the PHP_AUTH_USER and PHP_AUTH_PWD variables doesn't
seem to do any magic, and using a forced 401 ('Unauthorized') HTTP
header is also highly ideal (not to say blatantly dirty)...
seen a 'nuff browsers ignore the 401 after a successful login - they
just keep sending the headers and your logged right back in, that my
past experience.
Soooo, has anyone found a proper way of achieving this (ideally from PHP)?
Also, in case this cannot be done from PHP, does anyone know of any
Apache modules (or tricks/tweaks/settings) that will allow HTTP
authentication to be neatly destroyed?
save the 'authenticated' state in the session;
only send out the http auth headers when:
1. the user is not authenticated
2. the page is should be protected
logging out would then clear the 'authenticated'
state from the SESSION
----
now I probably didn't explain that very well - but I can say I
have that concept working - unfortunately the relevant classes
that I wrote to do that are heavily interdependent on other
stuff which makes it's useless for putting the point accross;
anyway hope the idea helps.
Thanks in advance, and cheers,
Olafo
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
