Hi,

Just wonderering how I could make agood 'logout' option from the members area. (protected with .htacess en .htpasswd) After browsing on the internet I found out that standard this is not possible. But maybe there is a good workaround. Any ideas?

I believe the only way to "log out" of a .htaccess protected site is to end the browser session (ie: close it).

I don't think there is any other way, I could be wrong though...

- Mark

Astro-Boy!!
http://www.zip.com.au/~astroboy/

Ohh, there are some. But the question is who knows a good one!

Just an idea:

- Logout button places sessioncookie "expire=1". Scripts should check for expire cookie default.

.htaccess doesn't check for cookies...

You could password protect a script which checks for the cookie, but that kinda defeats the purpose of using .htaccess doesn't it? (why not just validate with the script, etc...)

- Mark

Astro-Boy!!
http://www.zip.com.au/~astroboy/

No, but offcourse I could modify the scripts placed in the protected dir to check for "expire=1" or something like that....Allthough I didn't visit this board for a while and forgot a lot of tricks: I'm not a novice.

There is no need to have a logout feature with .htaccess.

You only need to logout if using cookies or something like that.

If you close your browser that is as good as logging out. No sensitive information will be retained on your pc.

I know, only I can't rely on my users!
So I'll need to find a workaround like extra (!) cookie checks or javascript to close all browser windows.

You are missing the point. There is no need to perform checks with .htaccess - that is the whole point of using it.

The only thing you can do is have a button or something saying "Press Me" and it will close the browser.

No I'm not. I know how .htaccess works.

I added the button long ago, but now want something more robust. Like EXTRA (!) cookie check or using a special dir with the same .htaccess file but no valid password. That seems alsow to do the trick. After going to a link behind ijn that dir the browser flushed out the strored username and password in the cache.


I was just hoping to find some exstra insight, nothing more.

I'm just not sure what you are trying to achieve.

If they have logged in using BASIC AUTH then they are authenticated. What is the point in a cookie check?

Even if the cookie check fails they will still be allowed into the protected directory.

I'll try to explain:

If a user of my database management system (logged in though htaccess) leaves his personal computer, collegeas could still abuse the system. By closing all browser windows he would be logged out and no abuse can happen. BUT Iif he doesn't I would like to have a safety (back-up) system. is the more crear or not? please let me know....

Thats not your responsibility. If the user forgets to close the browser that is their problem. If you provide a logout button to close the browser that it is their responsibiility to click it.

A cookie check would be pointless as if they've left the computer then the page will not move and so the script can't check the cookie.

The only way is probably javascript to close the browser after x seconds but even that probably wont work as the user has to lcick ok for it to shut I think.

Easy to say but they are all employees of our company. That's why I (as you could read) adding a log tool. for all add/modify/delete actions. To investigate toubles!

Well as far as I know there is no way to do it.

You can lock them out of the script using session cookies but that won't keep them out of the protected directory.