Logout from HTTP auth using Apache

Published by cybso on 2012-08-10

This is a post from my original site, which was hosted by the former blog service of the University of Osnabrück. I have moved it to the new site for archiving. Pages linked in this article may no longer work today, and the blog comments under the article no longer exist. Opinions expressed in this article reflect the point of view of the time of publication and do not necessarily reflect my opinion today.

Since there is no mechanism defined to log the user out of a HTTP authenticated session you have to use a workaround. Most browsers forget their login data once they received a 403 response. The problem is, that the user have to return to the normal starting page manually.

Update 2017-02-22: It seems that this technique doesn't work anymore in recent Firefox and Chrome browsers.

The following code, which can be embedded into an Apache VHost declaration, uses a cookie to send a 403 response to the browser the first time he requests "/logout", and redirects it to "/" on the second time. So the user can immediately login again if he want to.

Please note that the order of the declarations does matter! The Location-Block must be the last block which requires a user or group.

RewriteCond %{HTTP_COOKIE} ^.*logout=1.*$
RewriteRule ^/logout$ / [R,L,co=logout:0:%{HTTP_HOST}:0:/logout]                                                                                                         
RewriteRule ^/logout$ - [R,L,co=logout:1:%{HTTP_HOST}:0:/logout]
<Location /logout>
    Require user nonexistinguser
</Location>