How to Log Out of an Application that Uses HTTP Authentication

I’m working on an application right now that uses the simple 401 (unauthorized) response code and “WWW-Authenticate” HTTP header to prompt the user for a username and password. This mostly works as expected, however I want the user to be able to log out of the application, which is not so easily done. The CFLOGOUT tag does not tell the browser to stop sending the Authentication header containing your credentials to protected pages, so the only way to be sure you are logged out is to end your session from the browser’s perspective, which means closing it. I’m experimenting with another technique, though, and I’d like to get some feedback.

The only people who log into this application I’m working on are system administrators, so the solution doesn’t have to look pretty as long as it works. The idea is to make the browser forget the user’s credentials by giving it new, false credentials to send, instead. The “logout” code I came up with looks like this:

<cffunction name="logout" ...>
<cfheader statuscode="401"/>
<cfheader name="WWW-Authenticate" value="Basic realm=""admin"""/>
<script language="javascript">
document.location = '../index.cfm';

When the user clicks on the “Log Out” link, the function above is executed, and the user is prompted by the browser to enter a username and a password at which point he clicks on cancel, the browser forgets the previous (presumably correct) authentication information, and the user is redirected to an unprotected, public index page. All subsequent requests to the protected admin section of the application will send the wrong credentials, and cause the browser to prompt for new ones.

This seems to work well in the few browsers I’ve tested with, though, as I said, it’s not that pretty, and wouldn’t be a good solution for end users. For admins, though, it seems reasonable.

Does anyone else have a different way of tackling this problem?

One Response to How to Log Out of an Application that Uses HTTP Authentication

  1. Daniel says:

    Quoting the RFC ( u can find it here ):” Existing HTTP clients and user agents typically retain authentication information indefinitely. HTTP/1.1 does not provide a method for a server to direct clients to discard these cached credentials. This is a significant defect that requires further extensions to HTTP. “I usually dont use http authentication, but i never ever saw other solution rather than setting a 401 status code =|