Http Authentication Logout Via PHP

HTTP authentication logout via PHP

Mu. No correct way exists, not even one that's consistent across browsers.

This is a problem that comes from the HTTP specification (section 15.6):

Existing HTTP clients and user agents typically retain authentication
information indefinitely. HTTP/1.1. does not provide a method for a
server to direct clients to discard these cached credentials.

On the other hand, section 10.4.2 says:

If the request already included Authorization credentials, then the 401
response indicates that authorization has been refused for those
credentials. If the 401 response contains the same challenge as the
prior response, and the user agent has already attempted
authentication at least once, then the user SHOULD be presented the
entity that was given in the response, since that entity might
include relevant diagnostic information.

In other words, you may be able to show the login box again (as @Karsten says), but the browser doesn't have to honor your request - so don't depend on this (mis)feature too much.

PHP to mimick a logout feature for http basic auth

Example #3 on this page may be close to what you're looking for.

http://php.net/manual/en/features.http-auth.php

A different route you could take is to implement PHP sessions instead. Here's a good basic read on that.

http://phpmaster.com/php-sessions/

EDIT -
you don't need to force invalid credentials if you add the a PHP session (yes you can have both). Even if the only session variable you have is a boolean $_SESSION["IsLoggedIn"]. With said variable, you can add it to the if-statement in example #3, as below, and remove it from the session via your logout.php script.

if (!isset($_SESSION["IsLoggedIn"]) || !isset($_SERVER['PHP_AUTH_USER']) ||
    ($_POST['SeenBefore'] == 1 && $_POST['OldAuth'] == $_SERVER['PHP_AUTH_USER'])) {
    authenticate();
} else {
    ...
}

and don't forget to use session_start(); at the top of your page whenever you utilize the $_SESSION variable.

How to log out user from web site using BASIC authentication?

Basic Authentication wasn't designed to manage logging out. You can do it, but not completely automatically.

What you have to do is have the user click a logout link, and send a ‘401 Unauthorized’ in response, using the same realm and at the same URL folder level as the normal 401 you send requesting a login.

They must be directed to input wrong credentials next, eg. a blank username-and-password, and in response you send back a “You have successfully logged out” page. The wrong/blank credentials will then overwrite the previous correct credentials.

In short, the logout script inverts the logic of the login script, only returning the success page if the user isn't passing the right credentials.

The question is whether the somewhat curious “don't enter your password” password box will meet user acceptance. Password managers that try to auto-fill the password can also get in the way here.

Edit to add in response to comment: re-log-in is a slightly different problem (unless you require a two-step logout/login obviously). You have to reject (401) the first attempt to access the relogin link, than accept the second (which presumably has a different username/password). There are a few ways you could do this. One would be to include the current username in the logout link (eg. /relogin?username), and reject when the credentials match the username.

PHP: HTTP Basic - Log off

A rough idea to start you:

<?php   
  session_start();

  if( isset( $_GET['logout'] ) )
  {
    session_destroy();
    header('Location: ../logout.php');
    exit;
  }

  if( !isset( $_SESSION['login'] ) )
  {
    if( !isset( $_SERVER['PHP_AUTH_USER'] ) || !isset( $_SERVER['PHP_AUTH_PW'] ) )
    {
      header("HTTP/1.0 401 Unauthorized");
      header("WWW-authenticate: Basic realm=\"Tets\"");
      header("Content-type: text/html");
      // Print HTML that a password is required
      exit;
    }
    else
    {
      // Validate the $_SERVER['PHP_AUTH_USER'] & $_SERVER['PHP_AUTH_PW']
      if( $_SERVER['PHP_AUTH_USER']!='TheUsername'
          || $_SERVER['PHP_AUTH_PW']!='ThePassword' )
      {
        // Invalid: 401 Error & Exit
        header("HTTP/1.0 401 Unauthorized");
        header("WWW-authenticate: Basic realm=\"Tets\"");
        header("Content-type: text/html");
        // Print HTML that a username or password is not valid
        exit;
      }
      else
      {
        // Valid
        $_SESSION['login']=true;
      }
    }
  }
?>
// The rest of the page is then displayed like normal

How to logout user for basic HTTP authentication

Yes, but it's not very smooth.

You have a special script URL (eg /logout; like a login script it must be in the root of the webapp to ensure the auth gets set to the right path), which, instead of requiring a valid username/password to proceed, requires an invalid one.

So the logged-in user hits /logout, sending valid credentials in the Authorization header. Your script responds 401, and the browser pops up a username/password prompt. You tell the user to put false values in (or, in most browsers, just leaving it blank is OK too) and hit OK. This replaces the valid stored credentials with invalid ones. Your script then returns a ‘logged out’ page or a redirect back to the home page, and the user is no longer logged in.

(Care: Safari, sadly, passes every HTTP request without any credentials first, only trying again with stored credentials if it gets a 401 response. This means you shouldn't take a request with no Authorization header as being OK for the logout script; it must be present, even if with blank credentials in it. This unfortunate behaviour also means you can't provide a logged-in and not-logged-in version of the same page to Safari users under the same URL, and it makes Safari slow at browsing Basic-protected sites, since every page request has to happen twice.)

There is another way that is sometimes used: use JavaScript to send an XMLHttpRequest with a fake username/password combo (eg xhr.open('GET', '/app', true, '_', '_')). This has the non-standard side-effect of replacing the stored credentials in IE and Firefox (but not Opera; not sure about the others).

[Ugh. This is a pain. No wonder everyone uses cookies instead...]

Logging out with HTTP Basic Auth in Laravel

I had the same problem, I really couldn't logout the current user... And the answer is simple: Laravel doesn't support logout() with Auth::basic().

There are ways to fix it, but it's not very clean; https://www.google.nl/search?q=logout+basic

PHP Digest auth, logout

Unsetting $_SERVER['PHP_AUTH_DIGEST'] will have no effect. The problem is, there's not really a "good" answer to the task you've set.

The HTTP specification doesn't technically allow for it, but in practice, most of the browsers out there will effectively "log the user out" if you send them another 401. Per php.net/http-auth:

Both Netscape Navigator and Internet Explorer will clear the local browser window's authentication cache for the realm upon receiving a server response of 401. This can effectively "log out" a user, forcing them to re-enter their username and password. Some people use this to "time out" logins, or provide a "log-out" button.

From your code, the simplest method is probably something like:

function logout(){
    header('HTTP/1.1 401 Unauthorized');
    return true;
}

but, again, this is not actually something approved of by the HTTP specification.

---

Related Topics