通过PHP进行HTTP认证注销 [英] HTTP authentication logout via PHP

问题描述

什么是正确办法注销HTTP认证保护的文件夹？

What is the correct way to log out of HTTP authentication protected folder?

有变通办法，可以实现这一点，但它们具有潜在的危险，因为它们可以越野车或不允许某些情况下/浏览器。这就是为什么我在寻找正确和清晰的解决方案。

There are workarounds that can achieve this, but they are potentially dangerous because they can be buggy or don't work in certain situations / browsers. That is why I am looking for correct and clean solution.

推荐答案

亩。 不正确的方式中存在，甚至没有一个一贯的跨浏览器。

Mu. No correct way exists, not even one that's consistent across browsers.

这是来自 HTTP规范（第15.6个问题）：

This is a problem that comes from the HTTP specification (section 15.6):

现有的HTTP客户端和用户代理通常保留认证     信息下去。 HTTP / 1.1。不提供一个方法     服务器直接客户抛弃这些缓存的凭据。

Existing HTTP clients and user agents typically retain authentication information indefinitely. HTTP/1.1. does not provide a method for a server to direct clients to discard these cached credentials.

在另一方面，部分 10.4.2 说：

如果请求中已经包括授权证书，那么401    响应表示授权已被拒绝了那些    证书。如果该401响应包含相同的挑战，因为    现有的反应，和用户代理已经尝试    认证至少一次，那么用户应该presented的    这是在响应中，因为该实体可能实体    包括相关的诊断信息。

If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user SHOULD be presented the entity that was given in the response, since that entity might include relevant diagnostic information.

在换句话说，您可以显示登录框再次（为的 @卡斯滕说），，但浏览器没有兑现你的要求 - 所以不要依赖于这个（MIS）功能太多

In other words, you may be able to show the login box again (as @Karsten says), but the browser doesn't have to honor your request - so don't depend on this (mis)feature too much.

这篇关于通过PHP进行HTTP认证注销的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！