Beefy Boxes and Bandwidth Generously Provided by pair Networks
Your skill will accomplish
what the force of many cannot
 
PerlMonks  

Logging out htaccess

by CodeJunkie (Monk)
on May 08, 2003 at 16:28 UTC ( #256582=perlquestion: print w/replies, xml ) Need Help??

CodeJunkie has asked for the wisdom of the Perl Monks concerning the following question:

Hi,
I'm trying to find out how I can loggout a user when they have logged in using apache htaccess authentication.

I realise that by completing the login boxes you are setting the environment varibles as follows

$ENV{'REMOTE_USER'}; $ENV{'REMOTE_ADDR'};

So I thought this code would work...

if ($logout) { print "<b>Logging out user: $ENV{'REMOTE_USER'}</b><br/>"; $ENV{'REMOTE_USER'}=; $ENV{'REMOTE_ADDR'}=; }

Unfortunately it doesn't, can anyone suggest a different way I can log a user out of a session without getting them to close their browser... or shall I just have cookie controlling logging in and out of sessions?

cheers,
Tom

Replies are listed 'Best First'.
•Re: Logging out htaccess
by merlyn (Sage) on May 08, 2003 at 17:29 UTC
Re: Logging out htaccess
by belg4mit (Prior) on May 08, 2003 at 17:47 UTC
    I just want to point out *why* that doesn't work.

    If a URI is using basic authentication the server will challenge the browser with 401 if it does not receive a valid user/pass combo with the request, ad infinitum. Once a valid user/pass is provided, the browser will transparently feed the server that user/pass for every URI below the protected one. Therefore, your environment variables are being set by the server, because the browser is providing it. Furthermore, you're changing an environment value in a child and expecting it to apply to all children, which it clearly won't.

    --
    I'm not belgian but I play one on TV.

Re: Logging out htaccess
by jgallagher (Pilgrim) on May 08, 2003 at 16:36 UTC
    I would suggest going the cookie/session route. Most browsers will store the username/password for basic HTTP authentication, so even if you manage to remove them from the server end, the browser will just send them back automatically when asked for them.
Re: Logging out htaccess
by Aristotle (Chancellor) on May 10, 2003 at 20:25 UTC
    It's not really possible without user participation. You have to send a reply with HTTP status 401 Authorization Required to the browser and tell the user not to enter any credentials. The other way is having them close all their browser windows.

    Makeshifts last the longest.

Re: Logging out htaccess
by CodeJunkie (Monk) on May 09, 2003 at 10:18 UTC
    Thanks for the comments that kind of confirmed what I was thinking. I will go with the cookie idea, just thought i'd better check out all the alternatives :-)

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://256582]
Approved by benn
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others meditating upon the Monastery: (4)
As of 2020-06-02 18:44 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    Do you really want to know if there is extraterrestrial life?



    Results (19 votes). Check out past polls.

    Notices?