Hi, > > IIRC if you unset $_SERVER['PHP_AUTH_USER'] and > $_SERVER['PHP_AUTH_PW'] it will log you out. I've done some research on this in the past - and not all browsers/web servers honour that as it's the browser that keeps the username/password cached and sends it after a 401 response, so the server knows nothing about the "login" - i.e. 1. User visits page 1 2. Server sends 401 Unauthorised header 3. Browser does not have any login details for the realm and prompts user 4. User inputs credentials, browser re-submits the request with the credentials attached 5. User visits page 2 6. Server sends 401 Unauthorised header 7. Browser has login details for the realm and re-submits the request with the credentials attached >From the conclusion I came to after my research, there is no reliable way for the server to de-authorise a login after a 401 request. There are tricks you can do on the server, such as changing the authentication realm when the user has logged out - but if the user visits the same site again the realms will match and they will be logged in. I've seen a "hack" which uses a cookie on the user's machine - if the user has the cookie, the correct authentication realm is returned in the authentication request. If the user doesn't have the cookie, the server sends a random realm to trick the browser into thinking it's not logged in. By the time you've done all that, you might as well just use sessions. Regards, Andy -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
