HTTP authentication example with logout function

Due a user request I extended my older HTTP authentication snippet with a logout function.

This may also be achieved by using sessions, search the related page to find some more related snippets and comments.

Update: Sorry this does only work in Firefox.
In the Internet explorer this technique is disabled by default.
(You may look at the related links to find some further help.)

// The full url to this file is required for 
// the Logout function
$CurrentUrl         = '';
// Status flags:
$LoginSuccessful    = false;
$Logout             = false;
// Check username and password:
if (isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW'])){
    $usr = $_SERVER['PHP_AUTH_USER'];
    $pwd = $_SERVER['PHP_AUTH_PW'];
    // Does the user want to login or logout?
    if ($usr == 'jonas' && $pwd == 'foobar'){
        $LoginSuccessful = true;
    else if ($usr == 'reset' && $pwd == 'reset' && isset($_GET['Logout'])){ 
        // reset is a special login for logout ;-)
        $Logout = true;
if ($Logout){
    // The user clicked on "Logout"
    print 'You are now logged out.';
    print '<br/>';
    print '<a href="http://'.$CurrentUrl.'">Login again</a>';
else if ($LoginSuccessful){
    // The user entered the correct login data, put
    // your confidential data in here: 
    print 'You reached the secret page!<br/>';
    print '<br/>';
    // This will not clear the authentication cache, but
    // it will replace the "real" login data with bogus data
    print '<a href="http://reset:reset@'. $CurrentUrl .'?Logout=1">Logout</a>';
else {
    ** The user gets here if:
    ** 1. The user entered incorrect login data (three times)
    **     --> User will see the error message from below
    ** 2. Or the user requested the page for the first time
    **     --> Then the 401 headers apply and the "login box" will
    **         be shown
    // The text inside the realm section will be visible for the 
    // user in the login box
    header('WWW-Authenticate: Basic realm="Top-secret area"');
    header('HTTP/1.0 401 Unauthorized');
    // Error message
    print "Sorry, login failed!\n";
    print "<br/>";
    print '<a href="http://' . $CurrentUrl . '">Try again</a>';
Snippet Details

Sorry folks, comments have been deactivated for now due to the large amount of spam.

Please try to post your questions or problems on a related programming board, a suitable mailing list, a programming chat-room,
or use a QA website like stackoverflow because I'm usually too busy to answer any mails related
to my code snippets. Therefore please just mail me if you found a serious bug... Thank you!

Older comments:

zcvzvc July 04, 2011 at 06:09
Mohammad August 18, 2009 at 09:50
This will not work in IE 7 where
"the username and password are no longer alowed in the URL (eg. http://user:pass@yourwebsite)."
Jack August 07, 2008 at 16:02
The section that handles the logging out process can be improved.
Instead of redirecting the user, you can set the HTTP auth variables as empty, this will unset the current user's session.
maarten July 18, 2008 at 11:37
This function does not longer work. sinds the introduction of IE 7 the username and password are no longer alowed in the URL (eg. http://user:pass@yourwebsite).
The credentials are NOT reset and the user is stille 'loged on'
Chams December 19, 2007 at 10:02
HI Jonas, This is working great . Thank you so much