For example, $_SERVER["PHP_AUTH_USER"]

I tried the unset function, but it did not help.

At the beginning of the admin there is a code

 if (!isset($_SERVER['PHP_AUTH_USER'])){ header ("WWW-Authenticate: Basic realm=\"Admin Page\""); header ("HTTP/1.0 401 Unauthorized"); exit(); }

that is, to reauthorize me somewhere else in the code, you need to delete the element $_SERVER['PHP_AUTH_USER']

  • 3
    generally say unset works, can you expand the question? - Grundy
  • @Grundy, added - perfect
  • What does the beginning of the admin mean? where did you try to use unset ? - Grundy
  • and what does it mean to reauthorize from another place ? - Grundy
  • @Grundy, admin panel is a site management block, this code is inserted at the beginning of each page of this block (which I gave, but it is not all kanechno), unset I call from a separate special page where there is no code except the unset call itself - change the current account to another. - perfect

2 answers 2

This is an interesting question, and it turns out to be a little more difficult if you read not only the title, but also the text of the question itself.

To answer it requires an understanding of how PHP works in principle .

therefore, there will be two answers:

  1. Of course, you can remove an element from a superglobal array.
  2. But this will not help you.

Since these variables are filled again with each request, from the incoming HTTP headers. That is, the question really sounds like

Is it possible to force the browser not to transmit a specific HTTP header?

Answer: it is impossible.

HTTP basic authentication is designed so that the browser transmits a username and password with each request. If he does not transmit them, the PHP script will not recognize them, and the user will not be able to view the password-protected page.

In this case, the logout mechanism in HTTP basic authentication is not provided.

You can only request the password again, but if the user ignores this request, the browser will continue to send the old login and password. About 15 years ago I’ve been digging this topic for quite a while, and even made a demo page that didn’t log out the user ... but the most capable could find out that this trick was performed using a banal cookie 8)

  • intelligible, thanks - perfect
  • and I’m probably following this path. Now this method of authorization seems strange to me that it’s impossible to do without crutches. Oh, the author praised this technology so much that I applied it without delving into it. Well, at least the lesson for the future will now be - perfect
  • @perfect for a simple admin is a good option, but for something more complex it is not suitable. - Ipatiev
  • admin is simple, but she has two administrators - perfect
  • Is this a coincidence with this cookie? ru.stackoverflow.com/a/231105/2872 - perfect

Try to unset several functions.

  unset($_SERVER['PHP_AUTH_PW'], $_SERVER['PHP_AUTH_USER']); header('WWW-Authenticate: Basic realm="Auth"'); header('HTTP/1.0 401 Unauthorized');
  • one
    wrong are the server variables that only php has access to - perfect
  • @perfect test the version I proposed, in general, should be done with a redirect to 401 pages - Legionary
  • my code doesn't use sessions at all, and no matter how it answers my question - perfect
  • I edited the answer, to delete, run unset for 2 variables with redirection to 401 - Legionary