问题
I use Htdigest authentication with lighttpd. When the user first logs in to the website, a standard username/password dialogue box is presented. If correct username and password is entered, user can login, otherwise lighttpd shows an Authentication failure page.
So far so good!
The problem is when the user wants to logout, the browser doesn't forget the username and password. In other words as long as the browser is open, user can return to the same site without being asked to authenticate. One solution can be to close the browser so that it forgets the authentications But I don't want to force the user to close their browser everytime they want to log out.
Is there a way using JavaScript or server side code (ie. PHP, Python or Lua) to let the browser forget the htdigest authentication?
PS. We use Lua 5.1 on the server side which is not as powerful as PHP but it runs as FASTCGI in Lighttpd 1.4 on Linux 2.6.
回答1:
It can be done, but is tricky. There is no default way to do this. Conclusion drawn from various sources:
You have to trick the browser in forgetting the user/password combo. This can be achieved by letting the logout page send a 401 Not Authorized response header. Unfortunately the details vary per browser.
来源:https://stackoverflow.com/questions/9513206/how-to-tell-the-browser-to-forget-htdigest