PHP Digest auth, logout

Question

Is there a way to logout of a digest authentication done in php.

I have tried unset($_SERVER["PHP_AUTH_DIGEST"]); But it wont ask to relogin. I know if i close the browser then it will work and here are my functions.

    function login(){
        $realm = "Restricted area";
        $users = array("jamesm"=>"");
        if (empty($_SERVER["PHP_AUTH_DIGEST"])) {
            header("HTTP/1.1 401 Unauthorized");
            header("WWW-Authenticate: Digest realm=\"{$realm}\",qop=\"auth\",nonce=\"".uniqid()."\",opaque=\"".md5($realm)."\"");
            return false;
        }
        if (!($data = http_digest_parse($_SERVER["PHP_AUTH_DIGEST"])) || !isset($users[$data["username"]]))
            return false;
        $A1 = md5($data["username"] . ":{$realm}:{$users[$data["username"]]}");
        $A2 = md5($_SERVER["REQUEST_METHOD"].":{$data["uri"]}");
        $valid_response = md5("{$A1}:{$data["nonce"]}:{$data["nc"]}:{$data["cnonce"]}:{$data["qop"]}:{$A2}");
        if ($data["response"] != $valid_response)
            return false;
        return true;
    }
    function logout(){
        unset($_SERVER["PHP_AUTH_DIGEST"]);
        return true;
    }

What more do i need to add to the logout function to finish this off.

If i change the realm it works but i don't want it to be changed.

Answer 1

Unsetting $_SERVER['PHP_AUTH_DIGEST'] will have no effect. The problem is, there's not really a "good" answer to the task you've set.

The HTTP specification doesn't technically allow for it, but in practice, most of the browsers out there will effectively "log the user out" if you send them another 401. Per php.net/http-auth:

Both Netscape Navigator and Internet Explorer will clear the local browser window's authentication cache for the realm upon receiving a server response of 401. This can effectively "log out" a user, forcing them to re-enter their username and password. Some people use this to "time out" logins, or provide a "log-out" button.

From your code, the simplest method is probably something like:

function logout(){
    header('HTTP/1.1 401 Unauthorized');
    return true;
}

but, again, this is not actually something approved of by the HTTP specification.

Answer 2

Authoritative answer: http://tools.ietf.org/id/draft-ietf-httpbis-p7-auth-12.txt - section 6.1
There is no reliable way.

Some workarounds include faking a 401 and changing the realm=, or acknowledging an AJAX auth request with purposefully invalid credentials.