How to remove 'Authorization: Basic username:password' header from browser

Mr. Flibble picture Mr. Flibble · Oct 16, 2011 · Viewed 10.8k times · Source

I've been trying to make use of the native login prompt that is available in browsers:

Native login prompt

and have been following Steven Sanderson's blog post.

As mentioned in the blog, once a user enters their login details once the browser then sends the header Authorization: Basic username:password in all future requests to the login URL. This means that if a user logs out, but doesn't close the browser window, the next time they visit the login page, they are logged in automatically when visiting the login page. Effectively the browser stores the authentication details until the browser closes down - leaving your account open to unauthorised access.

Is there a way to make the browser forget the authorization information so that the user cannot log in again wihtout re-entering their details?

Answer

dmitry picture dmitry · Oct 16, 2011

As it written in wikipedia:

Existing browsers retain authentication information until the tab or browser is closed or the user clears the history. [1] HTTP does not provide a method for a server to direct clients to discard these cached credentials. This means that there is no effective way for a server to "log out" the user without closing the browser. This is a significant defect that requires browser manufacturers to support a 'logout' user interface element (mentioned in RFC 1945, but not implemented by most browsers) or API available to JavaScript, further extensions to HTTP, or use of existing alternative techniques such as retrieving the page over SSL/TLS with an unguessable string in the URL.

Seems it is no way in general.