Update I didn't read hard enough. Indeed, if you send a 401 error, the credentials the browser supplies are rejected, and most clients on the market today will in fact clear the user name after receiving such a response.

If the request already included Authorization 
credentials, then the 401 response indicates
that authorization has been refused for 
those credentials.

Note it doesn't say what the client *must* do at this point ... herendeth the update)

Looking over the HTTP RFC (RFC1945 for 1.0) I come to the conclusion that REMOTE_USER is derived from a part of the HTTP header sent by the *client* to the webserver, so in general, the answer would be that the client must unset it -- the RFC does not explicitly state that there must be a method for ending a session, so the browser manufacturers wouldn't necessarily have a uniform method -- or any method at all -- for ending a Basic Auth session. For obvious reasons (you don't want some guy on a remote site mangling your clients), unless the user gives explicit permission, you can't unset it with server-side code. You can, of course, unset it for the duration of the a single request using tachyon's method, but on the next request, it will be re-sent by the client.

Basically, it's determined on a client-by-client basis. There *might* be some Javascript-based way of doing it, but that, too would require that the user allow your Javascript to modify their browser's setup.

perl -e 'print "How sweet does a rose smell? "; chomp ($n = <STDIN>); 
+$rose = "smells sweet to degree $n"; *other_name = *rose; print "$oth
+er_name\n"'
[download]