Logging a user out when using HTTP Basic authentication

Question

I want users to be able to log in via HTTP Basic authentication modes.

The problem is that I also want them to be able to log out again - weirdly browsers just don\'

Answer 1

The short anser is:
There is no reliable procedure for achieving a "logoff" using HTTP Basic or Digest authentication given current implemenations of basic auth.

Such authentication works by having the client add an Authorization header to the request.
If for a certain resource the server is not satisfied with the credentials provided (e.g. if there are none), it will responde with a "401 Unauthorized" status code and request authentication. For that purpose it will provide a WWW-Authenticate header with the response.

A client need not wait for a server requesting authentication. It may simply provide an Authorization header based on some local assumptions (e.g. cached information from the last successful attempt).

While your outlined approach on "clearing" out authentication info has a good chance of working with a wide range of clients (namely widespread browsers), there is absolutely no guarantee that a nother client might be "smarter" and simply discriminate proper authentication data for your "logout" page and any other pages of the target site.

You will recognize a similar "problem" with using client side certificate based authentication. As long as there is no explicit support from clients you might fight on lost ground.

So, if "logoff" is a concern, move over to any session based authentication.

If you have access to the implementation of authentication on the server side you might be able implementing a functionality that will disregard authentication information presented with Authorization header (if still identical to what has been presented during current "session) on request of your application level code (or provide some "timout" after which any credentials will be re-requested), so that the client will ask the user for providing "new" credentials (performing a new login).