How to enable *logout* after htaccess login?

apps

#1

Hi, I’ve used the Htaccess/WebDAV facility on the control panel to password-protect a directory. Users now have to login to get to it. But since some of them are using multi-user machines, I’d like to make them able to logout.

Can someone advise on how to achieve this?

Many thanks in advance.
Neil


#2

There is no “logging in” to begin with (its authentication only, not session management!) and thus no “logout” function. They way it works is the browser asks for the web page, the server says you forgot to provide a username and password, the browser asks the person for it, and the browser asks again giving the username and password to the server, the server gives the browser the web page. After that the browser “remembers” the username and password - and that is all there is to it. There is nothing you can do to force the browser to “forget”. And its not a good idea to try to trick the browser by saying the credentials are wrong as a substitute for a “logout”, not that you can do that easily with the way DreamHost has the shared web servers configured.


#3

Thanks for this. What poor security! Many developers seem to have wanted to be able to log users out from an htaccess authentication, so it’s a shame that no web browser facilitates this, despite its being desirable in many circumstances. Browsers could easily have buttons to make them stop sending the authentication headers, but none of them do. Attempting to authenticate again with wrong credentials is one good way that’s been thought of, but as you say, given Dreamhost’s configuration, it’s not easy to get the login screen to show again. The best workaround I’ve come up with is to tell the user to close not just the window, but all open windows in the browser.