Creating a .htaccess Logout
There is no way to log out of a .htaccess protected directory, unfortunately browsers have never implemented a "forget password" feature! So we need to be imaginative!
Browsers only store one password per realm so we need to trick the browser into storing another "fakeusers" credentials.
This guide will discuss a number of options, not all of these are proven but have been tested with mixed results.
The first method is not an actual logout and probably will not appeal to many but it works without fail. Very simply, your "logout" button is actually a "close-window" button. This ends the browser session, wiping the login details, forcing the user to re-enter their details next time they attempt to access the protected directory.
You can close the browser window without a prompt with the following code:
You can also try the following which may appeal to you better. When accessing the protected area, open it in a new window, you can then use a standard window closer as the logout button. This has the advantage of keeping the parent window open, which you may prefer. However, I find that this method doesn't always work as the parent window may also store the login credentials.
The following methods all have the same underlying method, to overwrite the logged in users credentials with a fake-users crenditials.
We assume you have already created a password protected directory with .htaccess and .htpasswd files. If you haven't then do so immediately! We'll call this directory "Restricted".
Now, create a sub-directory outside of the "Restricted" directory called (for example) "logout". Password protect this directory allowing access to one fake-user. This fake-user can have a username "fakeuser" and password "fakepass". So directory logout should now contain it's own .htaccess and .htpasswd files allowing access only to user "fakeuser".
Next we create the logout button.
In order to replace the login information saved by the browser we overwrite it with the information needed to access directory "logout". As it is a 'logout link' we shouldn't have to enter any user information, this must be carried in the link.
So our link is:
When the link is clicked the username and password allows access to the "logout" directory. You can create an index.htm in the "logout" directory which can display a good-bye message or links to other areas of your site etc.
Also, since the browser now has saved the "new" user information your users will have to re-login if they want to access the "Restricted" directory, thus completing the appearance of having logged out!
The third method is basically the same as method 2 but for the reasons highlighted above we make one important change.
This time we place the "logout" directory inside the restricted directory. Again, the "logout" directory allows access only to "fakeuser". The link code must reflect this change:
So far I have been unable to get this to work for me so if you see that i'm doing something wrong and can improve on the method then please let me know so we can share it with others!
This method involves password protecting an individual file, not a sub-directory!
Keeping with protected directory "Restricted" now create a file in this directory we can call "logout.htm". This file can contain your good-bye message etc.
In order to protect this file, using the same "fakeuser" info as previously (fakeuser & fakepass), we need to add the following to the .htaccess:
The logout link is almost the same as in the previous example but we need to direct it to the .htm document rather than a directory:
The result should be the same as previously.
You may have trouble "merging" password protection for both the Restricted directory and the logout.htm file in the directory. This may take some tweaking to sort out!
Don't just rely on the .htaccess to do all the work, there's a number of things
you can do to help.
How do I log out?
Since browsers first started implementing basic authentication, web site administrators have wanted to know how to let the user log out. Since the browser caches the username and password with the authentication realm, as described earlier in this tutorial, this is not a function of the server configuration, but is a question of getting the browser to forget the credential information, so that the next time the resource is requested, the username and password must be supplied again. There are numerous situations in which this is desirable, such as when using a browser in a public location, and not wishing to leave the browser logged in, so that the next person can get into your bank account.
However, although this is perhaps the most frequently asked question about basic authentication, thus far none of the major browser manufacturers have seen this as being a desirable feature to put into their products.
Consequently, the answer to this question is, you can't. Sorry.