Hi Jochem (and others),
save the 'authenticated' state in the session;
only send out the http auth headers when:
1. the user is not authenticated
2. the page is should be protected
logging out would then clear the 'authenticated'
state from the SESSION
now I probably didn't explain that very well - but I can say I
have that concept working - unfortunately the relevant classes
that I wrote to do that are heavily interdependent on other
stuff which makes it's useless for putting the point accross;
anyway hope the idea helps.
Actually, the idea does make a lot of sense. In fact, that very trick
was what was previously used in the application. The reason it's not
used anymore like that, is that the PHP sessions didn't seem to work
reliably for several end users (a long story...), and that we're trying
to revert back to the inherent authentication mechanism (i.e. HTTP
authentication) of the CMS that's being used...
Anyway... I just encountered the following page:
http://httpd.apache.org/docs/1.3/howto/auth.html
If you scroll down to the section called: "How do I log out?", you'll
find a pretty definite answer regarding 'real' HTTP authentication
destruction: it cannot be done. :(
Good, I'll ponder some more on a good 'plan B' to provide the client
with the functionality they desire, without having to spend too many
hours on it...
Tnx for the answers!
Cheers!
Olafo
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php