unset php user authentication variable

Anon

i'm currently doing a logout script to logout user who logs in through the popup window through a funtion written using the PHP user authentication $PHP_AUTH_USER and $PHP_AUTH_PW declared as global variable within the authenticaation function. how to unset these 2 variables in my logout script (say logout.php) so that i can logout user from the site?

i've tried calling the same authentication function when user clicks at the logout button, but it needed user to click ok 3 times without inputing any username as password. this is something not user-friendly and doesn't make sense to normal usual.

anybody out there with a good solution?

julia

plutarck

Answer A: You cannt unset those variables.

Solution:

$PHP_AUTH_USER = '';
$PHP_AUTH_PW = '';

That oughtta do the trick for ya.

...I think.

Anon

i've tried that b4 but it didn't work.

the authenticate funtion written is as follows :

function authenticate()
{

GLOBAL $PHP_AUTH_USER;
GLOBAL $PHP_AUTH_PW;

$mes = "Login for mysite.com";

Header( "WWW-authenticate: basic realm=\"$mes\"");

Header( "HTTP/1.0 401 Unauthorized");
}

so any idea how to get rid of the values stored in $PHP_AUTH_USER & $PHP_AUTH_PW?

thanx.

julia

plutarck

scratches head

Try setting them to an empty string again, and right after echo out the contents of those two variables and see if the data changed at all.

If not then try setting them to some other variable and echoing them out.

If that doesn't work...I'm clueless.

Anon

You can't get rid of the values in $PHP_AUTH_USER and $PHP_AUTH_PW. This is Browser specific. The Browser stores the values in the cache send them to your script.

I haven't found a really good method to do it.

I heard you should create a logout page and send the Unauthorized Header. But I'm not sure.

I also heard that by changing the realm it should work, but not for me :-)

If you find something write it here, cause I'm also searching how to do it right.

Anon

i've already tried so many ways and thing is still not working. almost cracking my head rushing to complete this task.

anybody out there can help?

plutarck

Since it's browser based, it basically works like sessions. The best way to "log out" is just to close your browser window.

Other than that you can just tell them to enter 0 as their name and password. Then on the page you just bounce them over to the page you want them to be at.

So direct them to the log-out page with the instruction that they should enter 0 as their name and pass, then use header to kick them elsewhere.

Not fancy, not fun, and quite the hack, but I think it should at least work.

Beyond that...tell them to close their browser 😉

prahal

<?php
function authenticate() {
Header( "WWW-authenticate: basic realm=\"Test Authentication System\"");
Header( "HTTP/1.0 401 Unauthorized");
echo "You must enter a valid login ID and password to access this resource\n";
exit;
}

if(!isset($PHP_AUTH_USER) || ($SeenBefore == 1 && !strcmp($OldAuth, $PHP_AUTH_USER)) ) {
authenticate();
}

else {
echo "Welcome: $PHP_AUTH_USER<BR>";
echo "Old: $OldAuth";
echo "<FORM ACTION=\"$PHP_SELF\" METHOD=POST>\n";
echo "<INPUT TYPE=HIDDEN NAME=\"SeenBefore\" VALUE=\"1\">\n";
echo "<INPUT TYPE=HIDDEN NAME=\"OldAuth\" VALUE=\"$PHP_AUTH_USER\">\n";
echo "<INPUT TYPE=Submit VALUE=\"Re Authenticate\">\n";
echo "</FORM>\n";

}
?>

works for me...
but i have no IE: if someone could try and reply me I d be 🙂 thankful !

tambay

if you're using databases or cookies, you can try saving the value of the current date (YYYYMMDD). and whenever you want to authenticate a user, make sure that the current date is checked against the stored date. if they match, s/he's in. if not, force re-authentication.

now how do you log that user out? just deduct at least one day from the stored date and re-authentication should take place.

if you found a solution more elegant than this, i'd like to hear it though. *🙂