Update I didn't read hard enough. Indeed, if you send a 401 error, the credentials the browser supplies are rejected, and most clients on the market today will in fact clear the user name after receiving such a response.
If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials.
Note it doesn't say what the client *must* do at this point ... herendeth the update)
Looking over the HTTP RFC (RFC1945 for 1.0) I come to the conclusion that REMOTE_USER is derived from a part of the HTTP header sent by the *client* to the webserver, so in general, the answer would be that the client must unset it -- the RFC does not explicitly state that there must be a method for ending a session, so the browser manufacturers wouldn't necessarily have a uniform method -- or any method at all -- for ending a Basic Auth session. For obvious reasons (you don't want some guy on a remote site mangling your clients), unless the user gives explicit permission, you can't unset it with server-side code. You can, of course, unset it for the duration of the a single request using tachyon's method, but on the next request, it will be re-sent by the client.
Basically, it's determined on a client-by-client basis. There *might* be some Javascript-based way of doing it, but that, too would require that the user allow your Javascript to modify their browser's setup.
perl -e 'print "How sweet does a rose smell? "; chomp ($n = <STDIN>); +$rose = "smells sweet to degree $n"; *other_name = *rose; print "$oth +er_name\n"'
In reply to Re: undef-ing $ENV{'REMOTE_USER'} from within Perl?
by arturo
in thread undef-ing $ENV{'REMOTE_USER'} from within Perl?
by hibernian
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |