PHP to mimick a logout feature for http basic auth

Question

I understand that there is no "real solution" to logging out of http as it is stateless. However, all I need is a workaround. The one that I am trying to achieve is when a logout link is clicked it redirects to the logout.php file. That file calls the basic auth header again. I want to have php code pass a bogus password in, and then redirect to my homepage where the user will "be logged out".

I realize they would not actually be logged out, but rather the browser will be attempting to use the most recent auth credentials which will have been passed in and are incorrect, therefore making the user re log in with valid ones.

I have basically no php experience and cannot figure out how to code up the passing of a false password.

Any help is appreciated.

logout.php

<?php
    session_start();
    session_write_close();

    header('HTTP/1.1 401 Access Denied');
    header('WWW-Authenticate: Basic realm="HTTPS File Upload"');
    header('HTTP/1.0 401 Unauthorized');
    header('Location: http://www.homepage.com') 
?>

Answer 1

Example #3 on this page may be close to what you're looking for.

http://php.net/manual/en/features.http-auth.php

A different route you could take is to implement PHP sessions instead. Here's a good basic read on that.

http://phpmaster.com/php-sessions/

EDIT - you don't need to force invalid credentials if you add the a PHP session (yes you can have both). Even if the only session variable you have is a boolean $_SESSION["IsLoggedIn"]. With said variable, you can add it to the if-statement in example #3, as below, and remove it from the session via your logout.php script.

if (!isset($_SESSION["IsLoggedIn"]) || !isset($_SERVER['PHP_AUTH_USER']) ||
    ($_POST['SeenBefore'] == 1 && $_POST['OldAuth'] == $_SERVER['PHP_AUTH_USER'])) {
    authenticate();
} else {
    ...
}

and don't forget to use session_start(); at the top of your page whenever you utilize the $_SESSION variable.

Answer 2

It does work :

<?php
if (!isset($_SERVER['PHP_AUTH_USER']) or isset($_POST['logout'])) {
    header('WWW-Authenticate: Basic realm="My Realm"');
    header('HTTP/1.0 401 Unauthorized');
    echo '<h1>Access Denied!</h1>';
    exit;
} else {
    if(!($_SERVER['PHP_AUTH_USER']=='admin' and md5($_SERVER['PHP_AUTH_PW'])=='d81edf2e48ddddddddd631e374c5932d'))
    {
        header('HTTP/1.0 401 Unauthorized');
        exit;
    }
    echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>";
    echo "<p>You entered {$_SERVER['PHP_AUTH_PW']} as your password.</p>";
}
?>


<html>
<head>
</head>
<body>
<form method="POST">
<button name="logout" type="submit">Log Out</button>
</form>

</body>
</html>

Answer 3

Basic http auth works by passing a username/password with every request. Browsers typically store the credentials and pass them in every request, so your solution cannot be server side, you'd have to figure out a way to tell the browser to forget the credentials, if that's at all possible.

Answer 4

Set the http response code to:

401

The response header must include:

WWW-Authenticate : Basic

A user will now be prompted to login when they refresh.

PS Chromium browsers will prompt a user to login just from a 401 code, so I would test with IE. Also, private browsing mode is you friend.