terminating authentication

hearn

Is there a way in php to remove authentication? I login through an apache username and password authentication, is there a way I can remove the authentication using php?

Frag

You mean .htaccess?

hearn

Yea, the original authentication is through the use of .htaccess, can it be terminated with php?

dannys

You could try tricking the browser by forcing a 401 (Unauthorised) by sending

header('HTTP 401 Unauthorized');

That should popup the password box and the browser might forget the old username/password.

All completely untried and theoretical - but hey you never know! 🙂 Ok - so it's 1am here!

hearn

It still didn't work, anyone else have some ideas for me?

killerbishop

That header didn't specify which version of the HTTP protocol, and therefore was invalid. You also need to send a WWW-Authenticate header as well, like:

header("WWW-Authenticate: Basic realm=\"Login Again\"");
header("HTTP/1.0 401 Unauthorized");

hearn

that produced an error:

[Thu Sep 12 02:06:39 2002] [error] [client 35.11.182.83] malformed header from script. Bad header=HTTP/1.1 401 Unauthorized: c:/server/php/php.exe
35.11.182.83 - me - [12/Sep/2002:02:06:39 -0400] "GET /logout.php HTTP/1.1" 500 616

The page logout.php is only the following:

<?php
header("WWW-Authenticate: Basic realm=\"Login Again\"");
header("HTTP/1.1 401 Unauthorized");
?>

killerbishop

Uh, that's suppose to be "HTTP/1.0", not 1.1.

Weedpacket

And the 401 response line should be before the WWW-Authenticate line. (Testing suggests that PHP identifies response lines and sends them first.)

dannys

This seems to work ok

<?php
header('HTTP/1.0 401 Authorization Required');
header('WWW-Authenticate: Basic realm="My Realm"');
?>

Forces the browser to ask for username/password again - effectively logging the user out.

hearn

Still getting the error:

[Thu Sep 12 11:01:49 2002] [error] [client 66.18.182.83] malformed header from script. Bad header=HTTP/1.0 401 Authorization Req: c:/server/php/php.exe
66.18.182.83 - me [12/Sep/2002:11:01:50 -0400] "GET /logout.php HTTP/1.1" 500 616

dannys

Odd, which browser and server are you using?

Try swapping the order of the headers around.

hearn

I already tried switching everything around, I'm using msie 6, and the server is apache, running on win xp.

dannys

Weird - works here with MSIE6 on WinXP and Apache server (on FreeBSD)

Don't really know what else to suggest - maybe repost this in the Windows Help forum?