I, too, am using PHP with authentication and IE 5. However I am using
.htaccess to generate the headers instead of PHP. I found this text...
a quote from PHP manual.....
>Both Netscape and Internet Explorer will clear the local browser window's
>authentication cache for the realm upon receiving a server response of
>401. This can effectively "log out" a user, forcing them to re-enter their
>username and password. Some people use this to "time out" logins, or
>provide a "log-out" button.
This doesn't answer Ken's question, but at least perhaps you can use it to
provide a "log-out" button. Let me know if it works or not.
At 09:57 PM 3/3/01 -0500, kenzo wrote:
>I'm experiencing strange behavior with my user authentication scheme in my
>PHP app, with users using IE 5.5.
>
>I am using browser authentication (WWW-Authenticate and 401 headers), "no
>cache" headers, and PHP 4 sessions.
>
>I am finding that even when the user totally quits IE, if he then restarts
>IE, one or both (haven't isolated for sure yet) of the following happen:
>
>- The browser still knows the user and password, and so will send it to
>the server upon an authentication request under the same realm, without
>prompting the user. (The user does NOT have "save this password" checked
>on the user/password prompt when it first comes up.)
>- The session is still active. A call to session_start() returns the
>pre-existing session, instead of getting a new one.
>
>If the user restarts his machine, IE no longer remembers his user and
>password, and so a prompt is displayed upon authentication headers being
>sent. And I presume (not 100% certain) that a new session gets created.
>
>Both of these are behaving like IE is still running. Is this a known
>issue with IE 5.5? Does it just stay running? These symptoms make it
>sound like this, and less like a logic problem in my PHP app. (I have
>verified that the username and password are sent when the user gets an
>authentication prompt, without the user typing anything. I'm assuming
>there's no possible way that a PHP session can retain this information; I
>am reading $PHP_AUTH_USER and $PHP_AUTH_PW...there's no way these can be
>set unless the browser were already running and the user had previously
>entered them into their prompts, right?)
>
>Has anyone else run into this? My application works perfectly under
>Netscape 4, IE 4, and Opera 5.
>
>Thanks,
>Ken
John Henckel alt. mailto:[EMAIL PROTECTED]
Zumbro Falls, Minnesota, USA (507) 753-2216
http://geocities.com/jdhenckel/
--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
