I'm experiencing strange behavior with my user authentication scheme in my PHP app, with users using IE 5.5 (PC and Mac). I am using browser authentication (WWW-Authenticate and 401 headers), "no cache" headers, and PHP 4 sessions. I am finding that even when the user totally quits IE, if he then restarts IE, one or both (haven't isolated for sure yet) of the following happen: - The browser still knows the user and password, and so will send it to the server upon an authentication request under the same realm, without prompting the user. (The user does NOT have "save this password" checked on the user/password prompt when it first comes up.) - The session is still active. A call to session_start() returns the pre-existing session, instead of getting a new one. If the user restarts his machine, IE no longer remembers his user and password, and so a prompt is displayed upon authentication headers being sent. And I presume (not 100% certain) that a new session gets created. Both of these are behaving like IE is still running. Is this a known issue with IE 5.5? Does it just stay running? These symptoms make it sound like this, and less like a logic problem in my PHP app. (I have verified that the username and password are sent when the user gets an authentication prompt, without the user typing anything. I'm assuming there's no possible way that a PHP session can retain this information; I am reading $PHP_AUTH_USER and $PHP_AUTH_PW...there's no way these can be set unless the browser were already running and the user had previously entered them into their prompts, right?) Has anyone else run into this? My application works perfectly under Netscape 4, IE 4, and Opera 5. Thanks, Ken -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
