On Wed, February 1, 2006 7:16 am, Olaf Greve wrote: > Alright: here's a bit of a "challenge" (so as to avoid the word > "issue") > ;) my colleagues have run into previously: how to kill HTTP > authentication... Simply change the "Realm" out from under the user, so that their credentials for the old "Realm" are still valid, but rather useless, as they now need to authenticate themselves in the new and improved "Realm" This would require either using sequential or predictable Realms, or logging "used" Realms, or some similar mechanism. Note that the user sees the "Realm" in their dialog (in some? browsers), so it should also not be something that would confuse the user when it changes. Also note that the Windows IE dialog is likely to be too small to display the entire Realm if the string is rather long, which sucks, but what do you really expect from MS? > Simply unsetting the PHP_AUTH_USER and PHP_AUTH_PWD variables doesn't > seem to do any magic, Of course not. Those variables are *SENT* by the browser on each request, and contain the last known "good" values that got the user authenticated into the Realm, or the ones they've just typed in the little box to try to get into the Realm. They should be considered READ_ONLY in PHP -- in effect, they *are* read-only, as you have noticed, since changing them is rather pointless for anything other than an exercise in futility. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
