Home     SSI Lab     CSS Templates     CSS     Htaccess     Web Design     XHTML

Htaccess Tutorials

graphic-img   

SSI-D HOME

SSI LAB

CSS Templates

CSS

.Htaccess

Introduction

Experimental

Web Design

(X)HTML

HTML-Kit

Resources





Creating a .htaccess Logout

Your feedback

As this is experimental your feedback is very important, give others the benefit of your testing by sending us feedback. Below is some of the feedback we have received.


From: Carl J
Comment: I originally tried to create a logout directory within the authenticated realm [enzo: Method 3 above] but the problem was that the browser didn't use the supplied user:password pair because it was already authenticated. I simple moved the logout target one step up (in my case from ~/eyeyam/dictionary/spencer/logout/ to ~/eyeyam/dictionary/) in the directory structure [enzo: Method 2 above] and then the new user:password pair was used by the browser, and since the original authenticated area (~/eyeyam/dictionary/spencer/) is hierarchically within this area, the user is forced to re-supply a valid user:password pair for ~/eyeyam/dictionary/spencer/.


From:Martti T
Comment: I read with interest your suggestions on basic htaccess \"logout\", and implemented method 2. It does work as advertised when I give fakeuser and fakepass in the authorization dialog box (old credentials are indeed overwritten) but I had no success in putting fakeuser:fakepass in the link as suggested. Mozilla Firefox 0.9 just ignores that and gives me the dialog box anyhow, whereas MSIE 6.0 tries to locate a server called fakeuser:fakepass@bioinf.uta.fi . So it seems that the syntax for providing username and password is obsolete, perhaps discarded for security reasons?


From: Tom D
Comment: This simple link solved the problem for me:

<a href="http://logout:logout@members.wifekeeper.com">Logout</a>.

Logged in members that click this link will be lead to the 401 Authorization Required page and previous login details are wiped. The 401-page will now be reached by both leaving members and unauthorized visitors and should be changed accordingly. Personally, I intend to use the 401-page to tempt unauthorized visitors to buy a membership. Leaving members know that they are leaving. [Update: The MS security update causes this method to fail]


From: Ken ***
Comment: It is now possible to do this, at least with IE (dunno about the netscape/other browsers). I usually just make the logout page a separate page ... here's a copy of the one I use:

<script language="javascript">
document.execCommand("ClearAuthenticationCache") //clear cache
parent.location.href="default.htm" //redirect after logged out
</script>

Although I use ASP, you could obviously use SSI to code it to just return to the calling page, making it 100% dynamic:

parent.location.href="<!--#echo var="HTTP_REFERER" -->"

I use that on my intranet at work all the time - works like a charm!

Not sure if you're aware, but the "Cumulative Security Update for Internet Explorer (832894)" changed it where the method of using user:pass@site.com is no longer valid and will not work, due to there being exploits associated with that syntax.
You can re-enable it on your client machine (http://weblogs.asp.net/cumpsd/archive/2004/02/07/69366.aspx), but that's not a very good work-around for a webmaster.

Enzo: Tested Ken's method in IE, worked great. Unfortunately does not work in Mozilla/Firefox :(


From: Riku T
I think the \"best\" way to logout from .htaccess is as follows:
First, a JavaScript opens a pop-up window with all the toolbars, location bar, status bar, etc. Secondly, it closes the current window (the window you have the .htaccess to a file/folder). So here we have it, it opens the exactly same page, makes it maximized, then closes the one that is behind it; voila, you're logged out of the .htaccess


From: Harvey F
...one thing about method 1. we successfully used the close browser strategy in IE, but testing disclosed it does not work in Mozilla. If you try to do the same, browser window does not close and credentials remain intact. If you look @ js console, Mozilla shows:

"scripts may not close windows they have not opened".



Thanks to all for taking the time to submit their feedback and ideas.

« Return to tutorial.




Advertisement Sign up for free to PayBox.me today and get $25 just for joining AND earn up to $20 per day for participating.