Well I guess the easiest way it to store who's logged in into a database and every page that requires quthorization just check the database to see if that user is logged in, if not then make them login again.
Apparently just sending a 401 error message is supposed to clear the browsers cache of all credentials for that server, but that is not a real RFC standard and subsequently only works for netscape users and not IE so it's only a good solution if your in an internal network and everyone uses netscape.
I'm still working on a set of simple reusable functions for handling this task gracefully so I'm not gonna go posting up any code for now as it's all still in the Alpha stage.
