dpgirago@[...].org wrote:
>  I can't remember where the example below came from, but the event handler
>  for the 're-authenticate' button doesn't allow a re-authentication
>  /**********************************************************************
>   *      reset event handler does not work as expected                *
>   **********************************************************************/
>  if(IsSet($_POST['authenticator']) && $_POST['authenticator'])
>  {
>          unset($qualifiedUsers);
>          unset($qualifiedPasswords);
>          unset($_SERVER['PHP_AUTH_USER']);
>          unset($_SERVER['PHP_AUTH_PW']);
>          unset($_POST['authenticator']);

Remember how these values come in to this point:

The *BROWSER* remembers your login credentials, and re-sends them with
each request.

unset($_SERVER['PHP_AUTH_USER']);

is kinda pointless.

It will unset() it for this script, but the browser is gonna re-send them
on the next page hit.

Ain't no way to make it *NOT* send them, cuz the HTTP spec didn't plan for
that.  Sorry.

What you gotta do is change the REALM out from under them.

In other words, if user X is logged in with HTTP Basic authentication, and
you want to log them out, from that moment forward, send:

header('WWW-Authenticate: Basic realm="Some other Realm"');

So you'll need to track "used" realms, or perhaps keep a $counter going
for each user, and when they log out, "Whammo" change the Realm out from
under them.

At least, that's how I was told to do it.

Somebody said there was a way to log somebody out with other headers, but
I always forget what it is...

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php