Viewed   116 times

What is the correct way to log out of HTTP authentication protected folder?

There are workarounds that can achieve this, but they are potentially dangerous because they can be buggy or don't work in certain situations / browsers. That is why I am looking for correct and clean solution.



Mu. No correct way exists, not even one that's consistent across browsers.

This is a problem that comes from the HTTP specification (section 15.6):

Existing HTTP clients and user agents typically retain authentication information indefinitely. HTTP/1.1. does not provide a method for a server to direct clients to discard these cached credentials.

On the other hand, section 10.4.2 says:

If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user SHOULD be presented the entity that was given in the response, since that entity might include relevant diagnostic information.

In other words, you may be able to show the login box again (as @Karsten says), but the browser doesn't have to honor your request - so don't depend on this (mis)feature too much.

Sunday, October 30, 2022

The mod_rewrite way:

RewriteEngine on
RewriteCond %{REMOTE_ADDR} ^123.45.67.[8-9]$ # your ip here
RewriteCond %{REQUEST_URI} !^/index/
RewriteRule .? /index/ [R,L]
Monday, December 19, 2022

Run phpinfo(). if "Server API" is CGI/FCGI, you can pretty much forget it as there is no sensible way to use HTTP auth from PHP.

Monday, December 12, 2022

It is possible to do HTTP Basic Authentication in pure classic ASP VBScript.

You will need something to decode base 64. Here is a pure VBScript implementation. You will also need to make sure that in your IIS config you turn off "Basic authentication" and "Integrated Windows authentication" as these will interfere with what you get back in the HTTP_AUTHORIZATION header.

Here is a sample implementation that just echoes back the user name and password.


<!--#include file="decbase64.asp" -->

Sub Unauth()
    Call Response.AddHeader("WWW-Authenticate", "Basic realm=""SomethingGoesHere""")
    Response.Status = "401 Unauthorized"
    Call Response.End()
End Sub

Dim strAuth
strAuth = Request.ServerVariables("HTTP_AUTHORIZATION")

If IsNull(strAuth) Or IsEmpty(strAuth) Or strAuth = "" Then
    Call Unauth
        Dim aParts, aCredentials, strType, strBase64, strPlain, strUser, strPassword
        aParts = Split(strAuth, " ")
        If aParts(0) <> "Basic" Then
            Call Unauth
        End If
        strPlain = Base64Decode(aParts(1))
        aCredentials = Split(strPlain, ":")
    <%= Server.HTMLEncode(aCredentials(0) & " - " & aCredentials(1)) %>
End If

Hooking the user name and password up to something meaningful is left as an exercise for the reader.

Friday, September 30, 2022

You probably have a .htaccess in your document root, so you would add to this file since it's the first so to speak -- if you want to protect the entire website. Otherwise add a .htaccess file in the directory you wish to protect.

Then, check out this howto:

In a nutshell, this is what you add:

AuthType Basic
AuthName "dev"
AuthUserFile /complete/path/to/.htpasswd
Require valid-user

The command to add users is:

htpasswd -c /complete/path/to/.htpasswd yourusername

Make sure you read the above howto anyway!

Saturday, October 8, 2022
Only authorized users can answer the search term. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :