Yes, Matt, you were right about tracking the authorized state with a session. I actually thought about same thing: keeping a variable somewhere which will help to decide whether to send those "Authenticate" headers or not - just didn't realize you meant the same thing. :)
And a little excerpt from w3.org proving the point: "HTTP Authentication has the addition problem that there is no mechanism available to the server to cause the browser to 'logout'; that is, to discard its stored credentials for the user. This presents a problem for any web application that may be used from a shared user agent. Requests for how to force 'logout' appear almost daily in the netnews html and cgi authoring groups, and are one of the most common support questions received by Agranat Systems from their customers developing embedded systems web interfaces." Cheers, Stas -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
