Logging out htaccess

CodeJunkie has asked for the wisdom of the Perl Monks concerning the following question:

Hi,
I'm trying to find out how I can loggout a user when they have logged in using apache htaccess authentication.

I realise that by completing the login boxes you are setting the environment varibles as follows

$ENV{'REMOTE_USER'};
$ENV{'REMOTE_ADDR'};
[download]

So I thought this code would work...

if ($logout) {
  print "<b>Logging out user: $ENV{'REMOTE_USER'}</b><br/>";
  $ENV{'REMOTE_USER'}=;
  $ENV{'REMOTE_ADDR'}=;
}
[download]

Unfortunately it doesn't, can anyone suggest a different way I can log a user out of a session without getting them to close their browser... or shall I just have cookie controlling logging in and out of sessions?

cheers,
Tom

Comment on Logging out htaccess Select or Download Code

Replies are listed 'Best First'.
•Re: Logging out htaccess by merlyn (Sage) on May 08, 2003 at 17:29 UTC
I'm trying to find out how I can loggout a user when they have logged in using apache htaccess authentication. That's pretty difficult. You should be using cookies. That's why I wrote my column about cookies, because I was tired of explaining this over and over again. -- Randal L. Schwartz, Perl hacker Be sure to read my standard disclaimer if this is a reply.	[reply]
Re: Logging out htaccess by belg4mit (Prior) on May 08, 2003 at 17:47 UTC
I just want to point out why that doesn't work. If a URI is using basic authentication the server will challenge the browser with 401 if it does not receive a valid user/pass combo with the request, ad infinitum. Once a valid user/pass is provided, the browser will transparently feed the server that user/pass for every URI below the protected one. Therefore, your environment variables are being set by the server, because the browser is providing it. Furthermore, you're changing an environment value in a child and expecting it to apply to all children, which it clearly won't. `-- I'm not belgian but I play one on TV.`	[reply]
Re: Logging out htaccess by jgallagher (Pilgrim) on May 08, 2003 at 16:36 UTC
I would suggest going the cookie/session route. Most browsers will store the username/password for basic HTTP authentication, so even if you manage to remove them from the server end, the browser will just send them back automatically when asked for them.	[reply]
Re: Logging out htaccess by Aristotle (Chancellor) on May 10, 2003 at 20:25 UTC
It's not really possible without user participation. You have to send a reply with HTTP status 401 Authorization Required to the browser and tell the user not to enter any credentials. The other way is having them close all their browser windows. Makeshifts last the longest.	[reply]
Re: Logging out htaccess by CodeJunkie (Monk) on May 09, 2003 at 10:18 UTC
Thanks for the comments that kind of confirmed what I was thinking. I will go with the cookie idea, just thought i'd better check out all the alternatives :-)	[reply]