Hi all,

I have a function that I use (or would like to) for user authentication. In it, I set $PHP_AUTH_USER to global (you have to inside a function, or it thinks it's local). When the user is authenticated, the username is in PHP_AUTH_USER, and that's great; I want it there until they log out.

Now, when the user logs out, i have a script that calls:

unset($GLOBALS[PHP_AUTH_USER]);

this, in theory, would clear that variable. and, when i try to print that value to the screen, it is in fact gone (as opposed to definitely being there before the unset()). HOWEVER, when i go to a page that needs authentication again, it acts as if the user never logged out.

any ideas????

thanks,
-Phil

from what i understand the clients browser caches the username & password so unsetting variables won't help. as soon as the browser sees an error 401, it'll check the domain and site and use the cached username & password.

As alluded to, there really is no way to clear the $REMOTE_USER / $PHP_AUTH_USER variable. No such syntax exists in HTTP to tell the browser to stop sending credentials. Recommend using a cookie with an encrypted username once authentication occurs. Clear the cookie to signify logout and validate the cookie on non-login pages.

===========================================
http://badblue.com/helpphp.htm
Free small footprint web server for Windows

PHP, file-sharing, Access/Excel transcoding

Cookie is the best way. I spent 7 days trying the same thing as you and the only way to clear $REMOTE_USER / $PHP_AUTH_USER variable is to close the browser session. Which of course will make people mad at you and never come back

Bill.

Thanks everyone....

after getting ticked off at about 10 pm, i decided to sleep on it...i came up with the same soluition. Requiring cookies isn't a great thing to do, but Really there's only a small (maye 15) group of people using this app i'm creating.

thanks for all the input.

-phil