I am using the php authentication method for digest authentication as shown on the php manual. All is working well except for the logout part.
I am using session_destroy() to try and log my users out, which it does. However my problem is if the user goes to log back in before closing the browser out they are not prompted for a username and password and they are automatically logged back in with the last username and password they entered.
It seems the credentials are somehow being remembered by the browser. In Firefox if I manually clear “active logins” in the “clear browsing history” before trying to log back in then I am prompted for the username and password even though the user has been logged out with session_destroy().
I am also using an example from the php manual to clear the cookie but that doesn’t seem to help, it doesn’t seem to be a cookie problem.
Here is my logout.php code
<?php
session_start();
$_SESSION = array();
//destroy cookie if it exists
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
//destroy session
session_destroy();
header("location:form.php");
exit();
?>
What am I missing? Thanks for any help!
HTTP Auth works slightly different then authentication with session.
The only possibility to clear a http Auth session is to change the realm name.
Check http://www.php.net/manual/en/features.http-auth.php#100396 (Comment #100396) it’s where I found out.
BTW: It’s a lot easier to use sessions for authentication, you have a lot more possibilities to store user information etc. so if there is no certain reason for httpAuth you might be better with using sessions.