HTTP authentication example with logout function

Due a user request I extended my older HTTP authentication snippet with a logout function.

This may also be achieved by using sessions, search the related
php.net page to find some more related snippets and comments.

Update: Sorry this does only work in Firefox.
In the Internet explorer this technique is disabled by default.
(You may look at the related links to find some further help.)

Snippet information

Author:
Jonas John

License:
Public Domain

Language:
PHP

Created:
09/15/2007

Updated:
09/15/2007

Tags:
, , ,

Related links:
- A simpler login method (without logout)
- php.net: HTTP authentication with PHP
- Gallery2 solution


// The full url to this file is required for 
// the Logout function
$CurrentUrl         = 'www.jonasjohn.de/test_login.php';
 
// Status flags:
$LoginSuccessful    = false;
$Logout             = false;
 
// Check username and password:
if (isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW'])){
 
    $usr = $_SERVER['PHP_AUTH_USER'];
    $pwd = $_SERVER['PHP_AUTH_PW'];
 
    // Does the user want to login or logout?
    if ($usr == 'jonas' && $pwd == 'foobar'){
        $LoginSuccessful = true;
    }
    else if ($usr == 'reset' && $pwd == 'reset' && isset($_GET['Logout'])){ 
        // reset is a special login for logout ;-)
        $Logout = true;
    }
}
 
 
if ($Logout){
 
    // The user clicked on "Logout"
    print 'You are now logged out.';
    print '<br/>';
    print '<a href="http://'.$CurrentUrl.'">Login again</a>';
}
else if ($LoginSuccessful){
 
    // The user entered the correct login data, put
    // your confidential data in here: 
    print 'You reached the secret page!<br/>';
    print '<br/>';
 
    // This will not clear the authentication cache, but
    // it will replace the "real" login data with bogus data
    print '<a href="http://reset:reset@'. $CurrentUrl .'?Logout=1">Logout</a>';
}
else {
 
    /* 
    ** The user gets here if:
    ** 
    ** 1. The user entered incorrect login data (three times)
    **     --> User will see the error message from below
    **
    ** 2. Or the user requested the page for the first time
    **     --> Then the 401 headers apply and the "login box" will
    **         be shown
    */
 
    // The text inside the realm section will be visible for the 
    // user in the login box
    header('WWW-Authenticate: Basic realm="Top-secret area"');
    header('HTTP/1.0 401 Unauthorized');
 
    // Error message
    print "Sorry, login failed!\n";
    print "<br/>";
    print '<a href="http://' . $CurrentUrl . '">Try again</a>';
 
}


Found a bug? Or do you have a better solution for this?
Feel free to leave a message:

Add a comment


Leave a comment

Mohammad August 18, 2009 at 09:50
This will not work in IE 7 where
"the username and password are no longer alowed in the URL (eg. http://user:pass@yourwebsite)."
Jack August 07, 2008 at 16:02
The section that handles the logging out process can be improved.
Instead of redirecting the user, you can set the HTTP auth variables as empty, this will unset the current user's session.
maarten July 18, 2008 at 11:37
This function does not longer work. sinds the introduction of IE 7 the username and password are no longer alowed in the URL (eg. http://user:pass@yourwebsite).
The credentials are NOT reset and the user is stille 'loged on'
Chams December 19, 2007 at 10:02
HI Jonas, This is working great . Thank you so much