Destroying $_SERVER session?

Question

Okay so I'm not using any session variables, rather my code looks like this:

if (!isset($_SERVER['PHP_AUTH_USER'])) {
    header('WWW-Authenticate: Basic realm="Enter your Twitter username and password:"');
    header('HTTP/1.0 401 Unauthorized');
    echo 'Please enter your Twitter username and password to view your followers.';
    exit();
}

$username = $_SERVER['PHP_AUTH_USER'];
$password = $_SERVER['PHP_AUTH_PW']; 

So, my question is, how can I destroy this login session when the user wants to sign out of their (in this case) twitter login credentials?

Answer 1

There is no way to destroy an http authentication login server side. This is one of the biggest disadvantages of this form of login.

Answer 2

All you can do is to send another 401 header. The browser will usually "forget" the old value, pop up another user/pass input dialog and if users then press the "abort" button they are "logged out". Two drawbacks:

• The "abort the login to logout" dialog may surprise users a bit
• "usually" means: better not depend on it.

edit: And has already been answered, HTTP authentication logout via PHP