Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
HOw do I create an HTACCESS LOGOUT? 3
- Thread starter Hisakata
- Start date
-
2
- #2
cian
Technical User
- Oct 11, 2001
- 1,383
Hello again!
I don't think it's possible to do this but I know a workaround! Browsers only save 1 realm password so we need to create a new one.
It's a little awkward but it works!
Creat a sub-directory called "logout".
Password protect this directory the same way using .htaccess and .htpasswd files.
Set the username AND password for the directory as "logout".
Then on your other pages, where-ever you want a logout button use the following link::
<a href="logout</a>
What this does is basically login as user logout!
In your logout directory you should create an index file with a message "Good bye" or maybe some links or else a redirect to anoth file or directory!
make sense
É
:: ::
I don't think it's possible to do this but I know a workaround! Browsers only save 1 realm password so we need to create a new one.
It's a little awkward but it works!
Creat a sub-directory called "logout".
Password protect this directory the same way using .htaccess and .htpasswd files.
Set the username AND password for the directory as "logout".
Then on your other pages, where-ever you want a logout button use the following link::
<a href="logout</a>
What this does is basically login as user logout!
In your logout directory you should create an index file with a message "Good bye" or maybe some links or else a redirect to anoth file or directory!
make sense
É
:: ::
![[smurf]](/data/assets/smilies/smurf.gif "[smurf] [smurf]")
cian
Technical User
- Oct 11, 2001
- 1,383
Oops, for some reason the link got screwed up when I posted it and I only noticed now::
<a href="logout:logout@yoursite.com/directory/logout/">
logout</a>
In the link it should be username
assword@yourdomain/directory/etc
This works fine for me but not for Hitsaka so if anybody has any suggestions!
Thx for the start btw!
É
:: ::
<a href="logout:logout@yoursite.com/directory/logout/">
logout</a>
In the link it should be username
assword@yourdomain/directory/etcThis works fine for me but not for Hitsaka so if anybody has any suggestions!
Thx for the start btw!
É
:: ::
cian
Technical User
- Oct 11, 2001
- 1,383
Hi,
I was playing with this whole idea last night and came up with this:
It's not totally finished or anything, and it's only an idea. But anybody is welcome to use it or (hopefully) improve on it.
I'll do some more work with it if I can.
Check readme.txt to see if you can understand what I was trying to do.
É
:: ::
I was playing with this whole idea last night and came up with this:
It's not totally finished or anything, and it's only an idea. But anybody is welcome to use it or (hopefully) improve on it.
I'll do some more work with it if I can.
Check readme.txt to see if you can understand what I was trying to do.
É
:: ::
-
1
- #6
Hi mate,
An easier way is simply to remove the fakeuser from the htpasswd.
When the request is made for a user that does not exist, it should log you out from the original request. Doing it the way that you have it, you are giving yourself more work, and the user could overcome the security.
Just redirect the user to
but don't actually have a user with those details.
Hope this helps Wullie
sales@freshlookdesign.co.uk
The pessimist complains about the wind. The optimist expects it to change. The leader adjusts the sails. - John Maxwell
An easier way is simply to remove the fakeuser from the htpasswd.
When the request is made for a user that does not exist, it should log you out from the original request. Doing it the way that you have it, you are giving yourself more work, and the user could overcome the security.
Just redirect the user to
Code:
fake:fake@domain.comHope this helps Wullie
sales@freshlookdesign.co.uk
The pessimist complains about the wind. The optimist expects it to change. The leader adjusts the sails. - John Maxwell
- Thread starter
- #7
cian
Technical User
- Oct 11, 2001
- 1,383
Hi Wullie,
If the fakeuser doesn't actually exist but you "logout" as 'him' does it actually overwrite the information stored by your browser?
the problem we had was that if we go right back to the protected directory we were still logged in.
When we redirect with the fake user, should it be to a location inside or outside of the protected directory? As far as I know it needs the same AuthType and AuthName to overwrite the info, or am I way off the mark?
thx for your help Wullie!½
É
:: ::
If the fakeuser doesn't actually exist but you "logout" as 'him' does it actually overwrite the information stored by your browser?
the problem we had was that if we go right back to the protected directory we were still logged in.
When we redirect with the fake user, should it be to a location inside or outside of the protected directory? As far as I know it needs the same AuthType and AuthName to overwrite the info, or am I way off the mark?
thx for your help Wullie!½
É
:: ::
Hi mate,
When you go to
then the browser stores those details and overwrites the original.
Because you actually have a user by the fake name, then they are still logged in but under a different username and password. Effectively, they could still access the protected directory with the fake user and pass.
You must send the user to the protected directory with the fake user and pass, and it must use the same auth files to actually overwrite the details, otherwise you are logged into both directories.
Hope this helps Wullie
sales@freshlookdesign.co.uk
The pessimist complains about the wind. The optimist expects it to change. The leader adjusts the sails. - John Maxwell
When you go to
Code:
fake:fake@test.comBecause you actually have a user by the fake name, then they are still logged in but under a different username and password. Effectively, they could still access the protected directory with the fake user and pass.
You must send the user to the protected directory with the fake user and pass, and it must use the same auth files to actually overwrite the details, otherwise you are logged into both directories.
Hope this helps Wullie
sales@freshlookdesign.co.uk
The pessimist complains about the wind. The optimist expects it to change. The leader adjusts the sails. - John Maxwell
Hi mate,
Another way,
Create a custom 401 error page for the directory, then add a login form etc to the error page.
When the user clicks logout, then they are shown the password prompt again, if they want to log in again they can, otherwise they click cancel and see the 401 error page.
What you are trying to acheive is a workaroud, not the actual way that this is supposed to be. Htaccess does not support a "logout" function so logging in as another user defeats the security that htaccess provides as you need to do other server side checks to make sure that the fake user does not access the directory.
For this reason, you don't want to login as an actual user but instead trick the browser into requiring the username and password again by sending incorrect details.
Hope this helps Wullie
sales@freshlookdesign.co.uk
The pessimist complains about the wind. The optimist expects it to change. The leader adjusts the sails. - John Maxwell
Another way,
Create a custom 401 error page for the directory, then add a login form etc to the error page.
When the user clicks logout, then they are shown the password prompt again, if they want to log in again they can, otherwise they click cancel and see the 401 error page.
What you are trying to acheive is a workaroud, not the actual way that this is supposed to be. Htaccess does not support a "logout" function so logging in as another user defeats the security that htaccess provides as you need to do other server side checks to make sure that the fake user does not access the directory.
For this reason, you don't want to login as an actual user but instead trick the browser into requiring the username and password again by sending incorrect details.
Hope this helps Wullie
sales@freshlookdesign.co.uk
The pessimist complains about the wind. The optimist expects it to change. The leader adjusts the sails. - John Maxwell
cian
Technical User
- Oct 11, 2001
- 1,383
Hi Wullie,
Ok, think i'm getting it.
One problem I had was that I was logging out as fakeuser:fakepass but if I tried to access the protected directory I was still logged in as realuser.
I'll try it tonight without the info in .htpasswd
Thx again for your help!
É
:: ::
Ok, think i'm getting it.
One problem I had was that I was logging out as fakeuser:fakepass but if I tried to access the protected directory I was still logged in as realuser.
I'll try it tonight without the info in .htpasswd
Thx again for your help!
É
:: ::
danielhozac
Programmer
Usually, browsers does not save information if they receive a 401 response. Most browsers just continue using the old credentials when they receive a 401 for new ones. //Daniel
- Status
