What is the correct way to log out of HTTP authentication protected folder?
There are workarounds that can achieve this, but they are potentially dangerous because they can be buggy or don't work in certain situations / browsers. That is why I am looking for correct and clean solution.
The mod_rewrite way:
RewriteEngine on
RewriteCond %{REMOTE_ADDR} ^123.45.67.[8-9]$ # your ip here
RewriteCond %{REQUEST_URI} !^/index/
RewriteRule .? /index/ [R,L]
Run phpinfo(). if "Server API" is CGI/FCGI, you can pretty much forget it as there is no sensible way to use HTTP auth from PHP.
It is possible to do HTTP Basic Authentication in pure classic ASP VBScript.
You will need something to decode base 64. Here is a pure VBScript implementation. You will also need to make sure that in your IIS config you turn off "Basic authentication" and "Integrated Windows authentication" as these will interfere with what you get back in the HTTP_AUTHORIZATION header.
Here is a sample implementation that just echoes back the user name and password.
<%@LANGUAGE="VBSCRIPT"%>
<!--#include file="decbase64.asp" -->
<%
Sub Unauth()
Call Response.AddHeader("WWW-Authenticate", "Basic realm=""SomethingGoesHere""")
Response.Status = "401 Unauthorized"
Call Response.End()
End Sub
Dim strAuth
strAuth = Request.ServerVariables("HTTP_AUTHORIZATION")
If IsNull(strAuth) Or IsEmpty(strAuth) Or strAuth = "" Then
Call Unauth
Else
%>
<html>
<body>
<%
Dim aParts, aCredentials, strType, strBase64, strPlain, strUser, strPassword
aParts = Split(strAuth, " ")
If aParts(0) <> "Basic" Then
Call Unauth
End If
strPlain = Base64Decode(aParts(1))
aCredentials = Split(strPlain, ":")
%>
<%= Server.HTMLEncode(aCredentials(0) & " - " & aCredentials(1)) %>
</body>
</html>
<%
End If
%>
Hooking the user name and password up to something meaningful is left as an exercise for the reader.
You probably have a .htaccess in your document root, so you would add to this file since it's the first so to speak -- if you want to protect the entire website. Otherwise add a .htaccess file in the directory you wish to protect.
Then, check out this howto: http://httpd.apache.org/docs/2.2/howto/auth.html
In a nutshell, this is what you add:
AuthType Basic
AuthName "dev"
AuthUserFile /complete/path/to/.htpasswd
Require valid-user
The command to add users is:
htpasswd -c /complete/path/to/.htpasswd yourusername
Make sure you read the above howto anyway!
Mu. No correct way exists, not even one that's consistent across browsers.
This is a problem that comes from the HTTP specification (section 15.6):
On the other hand, section 10.4.2 says:
In other words, you may be able to show the login box again (as @Karsten says), but the browser doesn't have to honor your request - so don't depend on this (mis)feature too much.