Thanks for this. What poor security! Many developers seem to have wanted to be able to log users out from an htaccess authentication, so it's a shame that no web browser facilitates this, despite its being desirable in many circumstances. Browsers could easily have buttons to make them stop sending the authentication headers, but none of them do. Attempting to authenticate again with wrong credentials is one good way that's been thought of, but as you say, given Dreamhost's configuration, it's not easy to get the login screen to show again. The best workaround I've come up with is to tell the user to close not just the window, but all open windows in the browser.