You are not logged in.
- Topics: Active | Unanswered
#1 2012-02-27 03:59:23
- synthead
- Member
- Registered: 2006-05-09
- Posts: 1,337
Logging out of a PHP script with digest authentication
This has come up all the time, and I feel like I'm just getting over the hunch of learning digest auth. The problem is that the HTTP specifications have no definitive way to "log out" a user. If you give the user a 401 and force them to log in again, cached credentials will permit them to log in without seeing another login prompt. What's your method for forcing a user to login again?
I think if I append uniqid() to the username or password, essentially giving it a temporary random salt, every login will be unique making the user getting asked for credentials regardless. The problem here is that I can't append uniqid() to whatever the browser is giving me to check for this because it's already hashed from the browser.
The other thing I'm thinking of: this happens in webapps all the time. I'm even entering this in a forum that is doing it. If there's no HTTP spec to log out, how and why is it so common?
Offline
#2 2012-03-01 15:59:12
- i_love_penguins
- Member
- From: Germany
- Registered: 2010-03-30
- Posts: 46
- Website
Re: Logging out of a PHP script with digest authentication
Because of the stateless art of the HTTP protocol, there are no (server-)sessions when using digest auth. At least this is not, what it is intended for. The browser resends the credentials every time after you entered them until your browsing session ended (e.g. you close the browser).
By trying to do something with "uniqid()" you are just trying to workaround a (IMHO) faulty implementation of your authentication process. I guess you just should rethink the whole process and provide a login-interface instead of sending digest-headers. With this you easily can control when to logout by destroying the session. Since in this case the browser does not send the credentials every time, you can re-present the login-form after logout (force the user to manually login again).
Offline
#3 2012-04-22 17:54:45
- synthead
- Member
- Registered: 2006-05-09
- Posts: 1,337
Re: Logging out of a PHP script with digest authentication
I ended up going with basic auth over SSL. Thanks for the help 
Offline