Creating a .htaccess Logout
Your feedback
As this is experimental your feedback is very important, give others the benefit
of your testing by sending us feedback. Below is some of the feedback we have received.
From: Carl J
Comment: I originally tried to create a logout directory
within the authenticated realm [enzo: Method 3 above] but the
problem was that the browser didn't use the supplied
user:password pair because it was already authenticated. I simple
moved the logout target one step up (in my case from
~/eyeyam/dictionary/spencer/logout/ to ~/eyeyam/dictionary/) in
the directory structure [enzo: Method 2 above] and then the new
user:password pair was used by the browser, and since the
original authenticated area (~/eyeyam/dictionary/spencer/) is
hierarchically within this area, the user is forced to re-supply
a valid user:password pair for ~/eyeyam/dictionary/spencer/.
From:Martti T
Comment: I read with interest your suggestions on basic htaccess \"logout\",
and implemented method 2. It does work as advertised when I give fakeuser and fakepass
in the authorization dialog box (old credentials are indeed overwritten) but I had no
success in putting fakeuser:fakepass in the link as suggested. Mozilla Firefox 0.9
just ignores that and gives me the dialog box anyhow, whereas MSIE 6.0 tries to locate
a server called fakeuser:fakepass@bioinf.uta.fi . So it seems that the syntax for
providing username and password is obsolete, perhaps discarded for security reasons?
From: Tom D
Comment: This simple link solved the problem for me:
<a href="http://logout:logout@members.wifekeeper.com">Logout</a>.
Logged in members that click this link will be lead to the 401 Authorization Required
page and previous login details are wiped. The 401-page will now be reached by both
leaving members and unauthorized visitors and should be changed accordingly.
Personally, I intend to use the 401-page to tempt unauthorized visitors to buy a
membership. Leaving members know that they are leaving. [Update: The MS security
update causes this method to fail]
From: Ken ***
Comment: It is now possible to do this, at least with IE (dunno about the
netscape/other browsers). I usually just make the logout page a separate page ...
here's a copy of the one I use:
<script language="javascript">
document.execCommand("ClearAuthenticationCache") //clear cache
parent.location.href="default.htm" //redirect after logged out
</script>
Although I use ASP, you could obviously use SSI to code it to just
return to the calling page, making it 100% dynamic:
parent.location.href="<!--#echo var="HTTP_REFERER" -->"
I use that on my intranet at work all the time - works like a charm!
Not sure if you're aware, but the "Cumulative Security Update for Internet Explorer
(832894)" changed it where the method of using user:pass@site.com is no longer valid
and will not work, due to there being exploits associated with that syntax.
You can re-enable it on your client machine
(http://weblogs.asp.net/cumpsd/archive/2004/02/07/69366.aspx), but that's not a
very good work-around for a webmaster.
Enzo: Tested Ken's method in IE, worked great. Unfortunately does not work
in Mozilla/Firefox :(
From: Riku T
I think the \"best\" way to logout from .htaccess is as follows:
First, a JavaScript opens a pop-up window with all the toolbars, location bar,
status bar, etc. Secondly, it closes the current window (the window you have
the .htaccess to a file/folder). So here we have it, it opens the exactly same
page, makes it maximized, then closes the one that is behind it; voila, you're
logged out of the .htaccess
From: Harvey F
...one thing about method 1. we successfully used the close browser strategy in
IE, but testing disclosed it does not work in Mozilla. If you try to do the same,
browser window does not close and credentials remain intact. If you look @ js console,
Mozilla shows:
"scripts may not close windows they have not opened".
Thanks to all for taking the time to submit their feedback and ideas.
« Return to tutorial.
|