htaccess logout secure directory

Forum Moderators: phranque

Message Too Old, No Replies

htaccess logout secure directory

htaccess, logout, apache

skinter

9:31 pm on Aug 13, 2005 (gmt 0)

I want to let the user be able to logout without closing their browser, but I can't figure out how to do it. I know that, technically, it is impossible, but I have seen countless other things do it. For example, cPanel has a logout feature and a lot of other cPanel-ish programs.

Do any of you know how to do this?

Thanks for the help.

nkthrasher

11:48 am on Aug 29, 2005 (gmt 0)

Few weeks old, but I stumbled on this googling for a solution, and found one, so I figured I'd share it.

Browsers can't forget passwords, but you can tell it a new one to remember. assume that your web address is "www.foo.com", and your protected directory is "/bar/" and is protected by a .htaccess file that points to /bar/.htpasswd for its passwords.

once you log into /bar/ using your name and password you cant log out without killing the browser, normaly.

Now, create a new directory in /bar/ called logout, then a new .htaccess and .htpasswd file, in the ./htpasswd file make a user "logout" with password "now". Make the index.html for /logout a simple goodbye splash screen with a *HARD LINK* to the directory you want them to return to after logging out (assumedly [foo.com)...] you cant do a soft link (ie href="/index.html") for this one, it has to be a direct hard connection.

Now, in your /bar/ files, put a link like href="http://logout:now@www.foo.com/bar/logout/index.html" as your 'logout' link.

If it works, what should happen is you click logout, it sends you to the logout directory and logs you in as logout, you then return to the main page, try to enter /bar/ again, and logout isnt a valid name there! Suddenly, you're forced to log back in again as a valid person! You might want to create logout in /bar/.htpasswd with some crazy password that you'll forget over time anyway, just so that you're sure it will get rejected at the door.

inspiration came from [ssi-developer.net...]

jdMorgan

9:24 pm on Aug 29, 2005 (gmt 0)

Have you tested this across multiple latest-version browsers?

I understood that the passing of passwords in URLs is no longer supported in most current releases. Could be wrong, but wouldn't want my site to look broken because of it...

Jim

nkthrasher

9:50 pm on Aug 29, 2005 (gmt 0)

Havent tested it in IE or Netscape yet, can do that in about 8 hours. Firefox / Mozilla / Opera / Konqueror all check out on a FC3 system. The only issue I've run into was when I load the page as 127.0.0.1 or a direct IP address instead of its full url thats used in the hard link it gets rather confused. using static pages could make that an issue, but using cgi or php it wouldnt be hard to figure out where they're coming from and make the hard link fit.

nkthrasher

7:45 am on Aug 30, 2005 (gmt 0)

Hmm, scratch this plan, IE doesnt work with it, looks like you are correct Jim and it doesn't take address passwords.

However, if theres a way to trick it into taking a password without a prompt, the idea still works. And or you can provide this logout solution for non-IE users and tell everyone else to close out.