Log out from htaccess protected directories

stonedeft · January 2, 2010, 8:07pm

Hello forums.

I just want to know if it’s possible to log out from htacces protected directories.
I have built a custom CMS and for the sake of simplicity I just protected it with an htaccess password and I was planning to integrate a log out button and I need to know if it’s possible. And if it is possible …How?

thanks

dklynn · January 2, 2010, 8:58pm

stonedeft,

Buttons have NOTHING to do with Apache - it’s a script thing.

As for your .htaccess protection, merely delete (or comment out) the protection lines and it’s gone.

Regards,

DK

stonedeft · January 3, 2010, 5:36am

Thanks dklynn

I was actually creating something like the log in log out of cpanel. And this is for my CMS. I chose htacces password protection over php sessions as it is much safer lightweight and more easier to implement.

I googled around and found this:

http://www.ssi-developer.net/htaccess/htaccess_logout.shtml

Which says that the only thing to do is to trick the browser by providing a fake credential, something like this:

<a href=“http://fakeuser:fakepass@yourdomain.com/logout/”>Logout</a>

It works well but unfortunately IE8 doesn’t consider the above link as valid. Any ideas for IE8

thanks again

felgall · January 3, 2010, 7:17am

That’s a security thing. Too many people who were unaware of that format for passing userids and passwords into password protected pages were falling for links like

http://yourbank.com?link=abcdefghijklmnopqrstuvwxyzabcdefghi@scammerswrippoffsite.com

and thinking that it was a link to http://yourbank.com rather than a link to
http://scammerswrippoffsite.com

The format allowing those fields to be entered in the address was almost exclusively being used misused to link to scam sites (which were not password protected and therefore just ignored everything before the @) and almost never used for their proper purpose so since there are other ways to entrer the userid and password IE8 and other modern browsers decided to no longer allow the userid and password to be entered in front of the @ in the URL.

stonedeft · January 3, 2010, 7:25am

Thanks felgall if this is a security breach then sooner or latter all browsers won’t support the format.

I was wondering if there is a better way to pass username and passwords withoput using url links … maybe an htaccess voodoo or something