Logout from HTTP auth using Apache

Since there is no mechanism defined to log the user out of a HTTP authenticated session you have to use a workaround. Most browsers forget their login data once they received a 403 response. The problem is, that the user have to return to the normal starting page manually.

Update 2017-02-22: It seems that this technique doesn't work anymore in recent Firefox and Chrome browsers.

The following code, which can be embedded into an Apache VHost declaration, uses a cookie to send a 403 response to the browser the first time he requests "/logout", and redirects it to "/" on the second time. So the user can immediately login again if he want to. 

Please note that the order of the declarations does matter! The Location-Block must be the last block which requires a user or group.

RewriteCond %{HTTP_COOKIE} ^.*logout=1.*$
RewriteRule ^/logout$ / [R,L,co=logout:0:%{HTTP_HOST}:0:/logout]                                                                                                         
RewriteRule ^/logout$ - [R,L,co=logout:1:%{HTTP_HOST}:0:/logout]
<Location /logout>
    Require user nonexistinguser
</Location>

Comments

Hi,

Having trouble understanding this line:
"Invalid command '<Location', perhaps misspelled or defined by a module not included in the server configuration"
I have followed your instructions and enabled rewrite module. Could you please intruct me on where I´m doing wrong,

Regards Sven

Hi Sven,

before a few seconds, there was an error in the escaping routine, so just to clarify: did you wrote '&lt;Location' or '<Location'? The last one should work. If not, can you give me the complete configuration of the vhost (please use mail for this)?

Regards

Roland

I tried this, but it doesn't work for me. It stops at the 403 error. After canceling login, I can click the back arrow to get to the regular path, and the login dialog will work. I am trying to use it with Nagvis. Another user was successful with the ^/nagvis path. I am using a path like so, /xxx/nagvis/logout. Tried several RewriteRule variations, no help.

@LaFong: Actually this doesn't seem to work anymore in recent Chrome and Firefox browsers. I'll add a notice to the post.