Tuesday, September 6, 2011

Basic HTTP Authentication - Straight forward Approach

Basic HTTP Authentication is quite a nightmare when you can't implement the Logout, after you successfully logged into.

Stop scratching your head and searching on how to implement that.
A straight forward approach, is how it works. 

1. htaccess

Simply add these lines to the htaccess file
AuthType Basic
AuthName "Git"
AuthUserFile /usr/share/www/.ht-passwd
Require valid-user
where /usr/share/www/.ht-passwd is the path to your .htpasswd file

2. htpasswd
$ htpasswd /usr/share/www/.ht-passwd username
Or,  try these tools available online

3. Logout Issue

To logout, simply try to login to your page with some invalid user for example, if http://example.test is what you are trying to access, then visit http://logout@example.test where logout is an user which doesn't exist. You may put this link on your site, for easy access. 



  1. Sometimes, its good to be a lame. :)

    1. One thing I see when I try this is I'm still able to hit the back button and see what was on the page.... If I try to click a link, it throws the login prompt though.

    2. @dono,
      Since there is no server side logic, and there isn't any thing done to prevent the browser cache, there isn't a solution for what you mentioned. And the issue you reported, might happen with other implementations too, if its the case of the temporary cache.

      The best way is to logout and close the page. I think so.

    3. @dono,
      was chekcing my own post and saw your comment posted an year ago.

      Header unset ETag
      Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate"
      Header set Pragma "no-cache"
      Header set Expires "Wed, 11 Jan 1984 05:00:00 GMT"

      If mod_headers is enabled, you can send custom headers and disable caching. This must work.