Neil's News

Logging Out

14 November 2005

From Apache's Authentication, Authorization, and Access Control FAQ:

How do I log out?

Since browsers first started implementing basic authentication, website administrators have wanted to know how to let the user log out. Since the browser caches the username and password with the authentication realm, as described earlier in this tutorial, this is not a function of the server configuration, but is a question of getting the browser to forget the credential information, so that the next time the resource is requested, the username and password must be supplied again. There are numerous situations in which this is desirable, such as when using a browser in a public location, and not wishing to leave the browser logged in, so that the next person can get into your bank account.

However, although this is perhaps the most frequently asked question about basic authentication, thus far none of the major browser manufacturers have seen this as being a desirable feature to put into their products.

Consequently, the answer to this question is, you can't. Sorry.

Bzzt. Wrong answer. Here's a demo of how to logout using HTTP authentication:

Login now
Username: user
Pasword: pass

The strategy is to setup two authenticated users, the real user and a 'nobody' user. Then one embeds a little-known in-line authentication method within the logout link which switches the username to 'nobody'. View source on the login page to see what this looks like. Also worth reading is the .htaccess file which controls the authentication.

Update: Henric and Mathieu both pointed out that Microsoft recently pushed out this security update for IE 6 which completely disables inline authentication on links. Which means the above technique no longer works on most people's browsers. No work arounds. Game over. Thank you Microsoft.

< Previous | Next >

Neil Fraser: News: Logging Out