Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Destroying $_SERVER session?

Okay so I'm not using any session variables, rather my code looks like this:

if (!isset($_SERVER['PHP_AUTH_USER'])) {
    header('WWW-Authenticate: Basic realm="Enter your Twitter username and password:"');
    header('HTTP/1.0 401 Unauthorized');
    echo 'Please enter your Twitter username and password to view your followers.';
    exit();
}

$username = $_SERVER['PHP_AUTH_USER'];
$password = $_SERVER['PHP_AUTH_PW']; 

So, my question is, how can I destroy this login session when the user wants to sign out of their (in this case) twitter login credentials?

like image 424
Patrick C Avatar asked Dec 23 '22 10:12

Patrick C


2 Answers

There is no way to destroy an http authentication login server side. This is one of the biggest disadvantages of this form of login.

like image 67
MitMaro Avatar answered Dec 24 '22 22:12

MitMaro


All you can do is to send another 401 header. The browser will usually "forget" the old value, pop up another user/pass input dialog and if users then press the "abort" button they are "logged out". Two drawbacks:

  • The "abort the login to logout" dialog may surprise users a bit
  • "usually" means: better not depend on it.

edit: And has already been answered, HTTP authentication logout via PHP

like image 22
VolkerK Avatar answered Dec 24 '22 22:12

VolkerK