通过 PHP 进行 HTTP 身份验证注销 [英] HTTP authentication logout via PHP

问题描述

退出 HTTP 身份验证保护文件夹的正确方法是什么?

What is the correct way to log out of HTTP authentication protected folder?

有一些变通方法可以实现这一点，但它们具有潜在危险，因为它们可能有问题或在某些情况/浏览器中不起作用.这就是为什么我正在寻找正确和干净的解决方案.

There are workarounds that can achieve this, but they are potentially dangerous because they can be buggy or don't work in certain situations / browsers. That is why I am looking for correct and clean solution.

推荐答案

Mu.不存在正确的方法，甚至没有一种跨浏览器一致的方法.

Mu. No correct way exists, not even one that's consistent across browsers.

这是一个来自HTTP规范的问题(第 15.6 节):

This is a problem that comes from the HTTP specification (section 15.6):

现有的 HTTP 客户端和用户代理通常会保留身份验证信息无限期.HTTP/1.1.不提供一个方法服务器指示客户端丢弃这些缓存的凭据.

Existing HTTP clients and user agents typically retain authentication information indefinitely. HTTP/1.1. does not provide a method for a server to direct clients to discard these cached credentials.

另一方面，10.4.2 说:

如果请求已经包含授权凭证，那么 401响应表明授权已被拒绝证书.如果 401 响应包含与之前的响应，并且用户代理已经尝试过认证至少一次，那么用户应该被呈现响应中给出的实体，因为该实体可能包括相关的诊断信息.

If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user SHOULD be presented the entity that was given in the response, since that entity might include relevant diagnostic information.

换句话说，您可以再次显示登录框(如@Karsten 说)，但浏览器不必满足您的请求 - 所以不要太依赖这个(错误)功能.

In other words, you may be able to show the login box again (as @Karsten says), but the browser doesn't have to honor your request - so don't depend on this (mis)feature too much.

这篇关于通过 PHP 进行 HTTP 身份验证注销的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！