Home     SSI Lab     CSS Templates     CSS     Htaccess     Web Design     XHTML

Htaccess Tutorials

graphic-img   

SSI-D HOME

SSI LAB

CSS Templates

CSS

.Htaccess

Introduction

Experimental

Web Design

(X)HTML

HTML-Kit

Resources





Creating a .htaccess Logout

Bookmark with StumbleUpon
del.icio.us
Digg it
reddit
Furl
Spurl
ma.gnolia
Yahoo MyWeb
Windows Live
Sponsors

Introduction::

There is no way to log out of a .htaccess protected directory, unfortunately browsers have never implemented a "forget password" feature! So we need to be imaginative!

Browsers only store one password per realm so we need to trick the browser into storing another "fakeusers" credentials.

This guide will discuss a number of options, not all of these are proven but have been tested with mixed results.



Method 1::

The first method is not an actual logout and probably will not appeal to many but it works without fail. Very simply, your "logout" button is actually a "close-window" button. This ends the browser session, wiping the login details, forcing the user to re-enter their details next time they attempt to access the protected directory.

You can close the browser window without a prompt with the following code:

<head>
<script language="JavaScript" type="text/javascript">
<!--
function closewindow() {
self.opener = this;
self.close()
}
//-->
</script>
</head>

<body>
<a href="JavaScript: closewindow()">Close Window</a>


You can also try the following which may appeal to you better. When accessing the protected area, open it in a new window, you can then use a standard window closer as the logout button. This has the advantage of keeping the parent window open, which you may prefer. However, I find that this method doesn't always work as the parent window may also store the login credentials.


Comments:

  1. It works in IE but in Mozilla the browser won't close a window it didn't open.
  2. It means you have to close the browser window which you may not want to do.
  3. You lose focus from your site.


The following methods all have the same underlying method, to overwrite the logged in users credentials with a fake-users crenditials.



Method 2::

We assume you have already created a password protected directory with .htaccess and .htpasswd files. If you haven't then do so immediately! We'll call this directory "Restricted".

Now, create a sub-directory outside of the "Restricted" directory called (for example) "logout". Password protect this directory allowing access to one fake-user. This fake-user can have a username "fakeuser" and password "fakepass". So directory logout should now contain it's own .htaccess and .htpasswd files allowing access only to user "fakeuser".

Next we create the logout button.

In order to replace the login information saved by the browser we overwrite it with the information needed to access directory "logout". As it is a 'logout link' we shouldn't have to enter any user information, this must be carried in the link.

So our link is:

<a href="http://fakeuser:fakepass@yourdomain.com/logout/">Logout</a>

When the link is clicked the username and password allows access to the "logout" directory. You can create an index.htm in the "logout" directory which can display a good-bye message or links to other areas of your site etc.

Also, since the browser now has saved the "new" user information your users will have to re-login if they want to access the "Restricted" directory, thus completing the appearance of having logged out!


Comments:

  1. Can be difficult to set up but does work after some effort.
  2. You may run into the problem that the browsers is treating the "logout" directory as a new realm and storing the user credentials for this directory as well as "Restricted" directory.
  3. The following site uses almost the same method: http://www.columbia.edu/acis/webdev/password-logout.html


Method 3::

The third method is basically the same as method 2 but for the reasons highlighted above we make one important change.

This time we place the "logout" directory inside the restricted directory. Again, the "logout" directory allows access only to "fakeuser". The link code must reflect this change:

<a href="http://fakeuser:fakepass@yourdomain.com/Restricted/logout/">Logout</a>


Comments:

  1. May get the problem that accessing "Restricted" will also allow you to access "logout" so the method will fail.


Method 4::

So far I have been unable to get this to work for me so if you see that i'm doing something wrong and can improve on the method then please let me know so we can share it with others!

This method involves password protecting an individual file, not a sub-directory!

Keeping with protected directory "Restricted" now create a file in this directory we can call "logout.htm". This file can contain your good-bye message etc.

In order to protect this file, using the same "fakeuser" info as previously (fakeuser & fakepass), we need to add the following to the .htaccess:

<Files logout.htm>
<Limit ALL>
AuthUserFile /www/Restricted/.htpasswd
require user fakeuser
</Limit>
</File>

The logout link is almost the same as in the previous example but we need to direct it to the .htm document rather than a directory:

<a href="http://fakeuser:fakepass@yourdomain.com/Restricted/logout.htm">Logout</a>

The result should be the same as previously.

You may have trouble "merging" password protection for both the Restricted directory and the logout.htm file in the directory. This may take some tweaking to sort out!


Comments:

  1. Protecting the individual file can be a problem. "Experts" have told me it can be done but I have not had success with this method.
  2. You may need to place the "logout.htm" in a sub-directory of restricted so you can place it's own .htaccess file in that directory.


Final Comment:

Don't just rely on the .htaccess to do all the work, there's a number of things you can do to help.
Example: One application which I created for someone uses SSI extensively to not only redirect each logged in user to their individual directories but keeps users away from other users files and also forces all users to enter only through the login page.



Your comments:

Feedback on this guide is very important, it will help the many others who drop in here looking for a solution. So far we have received a number of comments which should help you.




Quotation from "Apache HTTP Server Version 1.3 - Authentication, Authorization, and Access Control"

How do I log out?

Since browsers first started implementing basic authentication, web site administrators have wanted to know how to let the user log out. Since the browser caches the username and password with the authentication realm, as described earlier in this tutorial, this is not a function of the server configuration, but is a question of getting the browser to forget the credential information, so that the next time the resource is requested, the username and password must be supplied again. There are numerous situations in which this is desirable, such as when using a browser in a public location, and not wishing to leave the browser logged in, so that the next person can get into your bank account.

However, although this is perhaps the most frequently asked question about basic authentication, thus far none of the major browser manufacturers have seen this as being a desirable feature to put into their products.

Consequently, the answer to this question is, you can't. Sorry.