Home/ Questions/Q 3635390
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-19T00:53:52+00:00

Is there a way to logout of a digest authentication done in php. I

  • 0

Is there a way to logout of a digest authentication done in php.

I have tried unset($_SERVER[“PHP_AUTH_DIGEST”]);
But it wont ask to relogin.
I know if i close the browser then it will work and here are my functions.

    function login(){
        $realm = "Restricted area";
        $users = array("jamesm"=>"");
        if (empty($_SERVER["PHP_AUTH_DIGEST"])) {
            header("HTTP/1.1 401 Unauthorized");
            header("WWW-Authenticate: Digest realm=\"{$realm}\",qop=\"auth\",nonce=\"".uniqid()."\",opaque=\"".md5($realm)."\"");
            return false;
        }
        if (!($data = http_digest_parse($_SERVER["PHP_AUTH_DIGEST"])) || !isset($users[$data["username"]]))
            return false;
        $A1 = md5($data["username"] . ":{$realm}:{$users[$data["username"]]}");
        $A2 = md5($_SERVER["REQUEST_METHOD"].":{$data["uri"]}");
        $valid_response = md5("{$A1}:{$data["nonce"]}:{$data["nc"]}:{$data["cnonce"]}:{$data["qop"]}:{$A2}");
        if ($data["response"] != $valid_response)
            return false;
        return true;
    }
    function logout(){
        unset($_SERVER["PHP_AUTH_DIGEST"]);
        return true;
    }

What more do i need to add to the logout function to finish this off.

If i change the realm it works but i don’t want it to be changed.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Unsetting $_SERVER[‘PHP_AUTH_DIGEST’] will have no effect. The problem is, there’s not really a “good” answer to the task you’ve set.

    The HTTP specification doesn’t technically allow for it, but in practice, most of the browsers out there will effectively “log the user out” if you send them another 401. Per php.net/http-auth:

    Both Netscape Navigator and Internet Explorer will clear the local browser window’s authentication cache for the realm upon receiving a server response of 401. This can effectively “log out” a user, forcing them to re-enter their username and password. Some people use this to “time out” logins, or provide a “log-out” button.

    From your code, the simplest method is probably something like:

    function logout(){
    header('HTTP/1.1 401 Unauthorized');
    return true;
}

    but, again, this is not actually something approved of by the HTTP specification.

    • 0