Present

So now I have change my requirements, a true logout mechanism must have some conditions and priorities (personal opinion):

1. Accessibility
2. Cross Platform
3. Header Based Authentication, no cookies
4. Independent of the authentication mechanism

1.- Recently I have been paying much more attention to the web pages I create. The approach I use now is the Hijax: think about using AJAX, create your pages as javascript is disabled, then add the Javascript for the fun stuff. With this
approach you are making sure your web pages are always looking good even if Javascript is disabled. Of course, there will be some situations where you can assume that Javascript is required by that can be managed on a case basis. Currently my approach to perform the
logout mechanism suffers horribly in this requirement, so, this is one of the aspects I need to work to improve my login/logout mechanism. I haven’t done the tests yet, but my feeling is that I will have 2 layers of logout: one at the client side (using some Javascript) and
the other at the server side.

2.- When I am at work or home I usually use Firefox; when I am programming something I test it on Firefox and Internet Explorer 6 & 7. Recently I have been doing some work with a friend (Carlos) and I realized that my mechanism for logout doesn’t work for Safari. So my mechanism is just partial and not robust enough. But how I am handling this situation right now? Well, I have to admit, I still use my script for logout and it does its job for IE & Firefox (version 2 sometimes doesn’t work) but I am also using a session handler via php (yes, it is a cookie!) for the cases of the other browser (Opera, Safari, etc). In the next part I will be posting my current configuration. So, this is another requirement that is not satisfy by my logout script.

3.- As Berend de Boer mentioned in his article, cookies should not be used for authentication. Yeah! this is really controversial and each one will have different opinions; you even will say “hey! you are using wordpress which handles sessions by cookies, so?”; sure, I have nothing against using cookies, is just that I am working on a solution that relies on the header for authentication rather than on the cookies. At the end, it depends on what you want to implement.

4.- I believe the login/logout mechanism should be flexible enough to support different authentication mechanisms. For this item you should keep in mind that your desired clients (browsers) should support the authentication mechanism you want to implement; not all of them are implemented in all the browsers. For example, if I recall correctly, the Digest Authentication mechanism does not work with Pocket Internet Explorer, so another mechanism needs to be used (Basic works for sure). Then, you need to check if your server supports the mechanism that you want to implement; if is not supported then you might need to implement it yourself.

Personally I implement solutions using Apache Digest authentication with php on the server side. I even had to code the Digest authentication to support old Apache servers (especially version 1.3). Currently it works with Opera, IE, FF, Safari; but as I mentioned before, the trick is coming from the session handler. I might setup a new area for the purposes of testing to any one.

So, this is my current status. My next steps are to adjust my authentication mechanism to reflect my new requirements. In the meanwhile I have to accept that in order to get some of them working (cross-platform) I had to give up in others (header-based). But, since
I have more clearly identify my needs and requirements I can safely say that my solution will be a “a cookie-less PHP-based login/logout mechanism for the Digest Authentication module”