HTTP Auth Logout Script

chriscolden

Hi,

I'm new to the whole php thing. But i what i have been trying to do for a little while now is to logout a user.

I'm using HTTP Auth (.htaccess) and need a logout script to clear the session. I think $PHP_AUTH_USER and $PHP_AUTH_PW have something to do with it.

If anyone could help me with this matter i would be very greatful.

thanks in advance.

weekender

If you read the following article...

http://www.php.net/manual/sv/printwn/features.http-auth.php

from php help, the paragraph above example 18.2 tells you how to log people out of htaccess auths.

hand

Closing the browser window is the only real method to let a user log out from your application.

You're using HTTP Authentication, so userid and password are stored clientside in the header of the browser. On every interaction between browser and webserver the browser sends userid and password to the webserver.

The point is that you have to delete userid/pwd information clientside (browser). But this is impossible.

Work around:
The solution is not to let the user log out, the solution is to make a relogin with another user. Define a logout-user, call him "logout" with password "logout". This user is a dummy user without any rights.

To relogin with user "logout" the vistor has to send a request like "http://logout:logout@www.example.com]" to your server, so your server validates the uid:pwd combiniation and your server variables $PHP_AUTH_USER and $PHP_AUTH_PW are both set to "logout".

if ($logout) {
   header("Location: http://logout:logout@www.example.com/");
   exit;
}

But this work around only works in connection with IExplorer, but not with Netscape. 🙁
Netscape doesn't allow to unset userid/pwd header informations.

Please try all other possibilities you can find on the link weekender just posted.

chriscolden

I don't get the bit about 18.2 but on the same page i found this code. When i run it, it comes up with an error. "Parse error: parse error, unexpected T_UNSET"

Could someone please assist me with this probplem further.
sorry to be a pain. The code is...

$phpuser = unset($GLOBALS['SERVER']['PHP_AUTH_USER']);
$phppass = unset($GLOBALS['SERVER']['PHP_AUTH_PW']);
if(($phpuser == "") && ($phppass == "")) {
echo "Now Logged out.<br />";
exit;
}

hand

To unset the variables serverside is the wrong way. It works only for the message "Now logged out." On the next interaction the variables are already set, because the browser sends them to the server again.

chriscolden

i can't get any of the ways surgested to work. i really don't know what to do.

hand

I know 😃
You can forget all these "solutions". Closing the browser window is the only real method to let a user log out from your application. Some of them works but also not in connection with every browser and/or without reauthentication popup window interaction.

I spent a lot of time with this "simple" problem.

Here is my IExplorer Solution which really works.
2 Steps for logout:
1st step "HTTP://$username:$password@$domain"
and immediately after this step
2nd Step: "HTTP://$domain" (to hide uid/pwd from url)

I'm using meta http-equiv="refresh content="1; URL=..."

<!-- BEGIN TEMPLATE: login.inc.php -->
<?

$LIN_SN    = getenv("SCRIPT_NAME");

if (isset($username) && isset($password)) {
    //print "isset1: $username $password $login";
     $FORWARD_STEP1 = "\"refresh\" content=\"1; URL=$LIN_CONN://$username:$password@$LIN_IP".$LIN_SN."?lstep2=\">";
    print "
    <html>
    <head>
        <meta http-equiv=$FORWARD_STEP1
    </head>
    <body>
    <table border='0' cellspacing='0' cellpadding='0' width='150'>
        <tr><td class=basic>
        <table width='150' border='0' cellspacing='1' cellpadding='3'>
            <tr><th class=top>&nbsp;<font color='#000000'><b>User's Login</b></font></th></tr>
            <tr><td>".print date("d.m.y H:i:s", time())."<br>"."Login/Logout Step 1<br>please wait ...</td></tr>
        </table>
    </td></tr>
    </table>
    </body>
    </html>
    \n";
    exit;
}

if (isset($lstep2)) {
    //print "isset2: $lstep2";
    $FORWARD_STEP2 = "\"refresh\" content=\"1; URL=$LIN_CONN://$LIN_IP".$LIN_SN."\">";
    print "
    <html>
    <head>
        <meta http-equiv=$FORWARD_STEP2
    </head>
    <body>
    <table border='0' cellspacing='0' cellpadding='0' width='150'>
        <tr><td class=basic>
        <table width='150' border='0' cellspacing='1' cellpadding='3'>
            <tr><th class=top>&nbsp;<font color='#000000'><b>User's Login</b></font></th></tr>
            <tr><td>".print date("d.m.y H:i:s", time())."<br>"."Login/Logout Step 2<br>please wait ......</td></tr>
        </table>
    </td></tr>
    </table>
    </body>
    </html>
    \n";
    exit;
}
?>
<table border="0" cellspacing="0" cellpadding="0" width="150">
    <tr>
    <td class=basic>
    <table width="150" border="0" cellspacing="1" cellpadding="3">
        <tr><th class=top>&nbsp;<font color="#000000"><b>User's Login</b></font></th></tr>
        <tr><td><font size="1">
        <?
        print date("d.m.y H:i:s", time())."<br>\n";
        $D_USER = $PHP_AUTH_USER;
        if ($PHP_AUTH_USER == "" || $PHP_AUTH_USER == "logout") {
            $D_USER = "<strong>Logged Out</strong>";
        }
        print "User: $D_USER  [$P_USERREST[$PHP_AUTH_USER]]<br>\n";
        print "IP: ".$REMOTE_ADDR."\n";
        if (eregi("MSIE",getenv("HTTP_USER_AGENT"))) {
        ?>
        <form action="<?print basename(getenv("SCRIPT_NAME"));?>" method="post">
            <input type="hidden" name="action" value="login">
            <input type="hidden" name="url" value="/index.php">
            <table border="0" cellpadding="0" cellspacing="0" width=100%>
                <tr>
                <td align=center><font size="1"><b>Username&nbsp;</b></font></TD><TD align=center><font size="1"><b>Password&nbsp;</b></font></TD>
                </tr><tr>
                <TD align=center><INPUT TYPE="TEXT" NAME="username" SIZE=7></TD><TD align=center><INPUT TYPE="PASSWORD" NAME="password" SIZE=7></TD>
                </TR><TR>

            <?
            if ($PHP_AUTH_USER == "" || $PHP_AUTH_USER == "logout") {
            ?>
                <td colspan=2 valign=midel align=center><center>
                <input type='image' src='button.php?WIDTH=50&TEXT=+Login!' border='0' name='login' value='login' alt='Login!'>
                </center>
            <?
            } else {
            ?>
                       <TD valign="middle" align=center>
<input type='image' src='button.php?WIDTH=50&TEXT=ReLogin' border='0' name='login' value='login' alt='Login!'></TD>
                           <TD valign="middle" align=center><a href=<?print basename(getenv("SCRIPT_NAME"))."?username=logout&password=logout";?>>
<img src='button.php?WIDTH=50&TEXT=+Logout' border='0' name='login' value='login' alt='Login!'></a>
                <?
                }
                ?>
                </td></tr>
            </table>
        </form>
        <?
        }
        ?>        

        </td>
        </tr>
    </table>
    </td>
    </tr>
</table>
<!-- END TEMPLATE: login.inc.php -->

chriscolden

wow. way to complicated foor me. I will have a bbash at it though. I might learn somethin from it