WWW-Authenticate: How to force password login at every page refresh ?

thenetflyer wrote:
[color=blue]
> The following sample should authorize the user to log on the site.
> This works once but after refreshing the browser, it does not prompt
> again for login until all browser (IE 6) windows are closed and the
> same page is opened.
> I turned off all caching but still it does cache (as a refresh doen
> not promt again).
>
> How can I force the page to prompt for a password at every refresh ?[/color]

You can't. Browsers are designed to work like this so people don't need to
keep entering their login name and password. Why are *you* wanting to do
this? Do you really want them to have to enter their login name and
password *every time* they request a page in your secure area?

What you could do to make this work (if it's really that important to you :)
is use this in combination with a cookie. Set the cookie when they first
access the page successfully. If the cookie is set as well as the login and
password then you know this is the second request, so you just deny access
again using the 401 header (and clear the cookie at the same time). This is
far from foolproof but it is some sort of solution. Note that you need to
set the cookies BEFORE you output any HTML, so you need to move all your
authentication logic to the top of the script.

Another (more foolproof) solution, would be to track their accesses in a
database or log file. If the second successfull request is within x seconds
of the last one you could then send a second 401 header requesting they
authenticate again. But this could cause more problems for your customers.

Sending a 2nd 401 header worked for me using Konqueror (ie it asked for the
login and password again), whether or not it will work in all browsers I
don't know.

--
Chris Hope
The Electric Toolbox - http://www.electrictoolbox.com/

I have been pounding my head on the same wall for 3 days now.

I have discovered that this is "normal" behavour.

You cn not force a "logout" of a www-authentication session without the
browser closing first.

Period. End of story.

(PLEASE! Someone tell me I'm wrong!)

I have a working model using PEAR::Auth, and my new extension to Auth,
AuthUser.

Right now it tracks logins, limits attempts to a defined limit (well, as far
aas this kind of thing can), fixes the DB case-insensitive ID location (some
DBs do a look up case insensitive, do JoE and jOe are the same).

I will have group, access, and level added soon.

Anyway. I have code that con do what you ask, but it uses an HTML login
form. :/

I'm still waiting for someone to prove me wrong with real code.

If you'd like a copy of my example code, drop me a note and I'll send it to
you.

Walter