http basic authentication “log out”

Question

HTTP basic authentication credentials are stored until the browser is closed, but is there a way to remove the credentials before the browser is closed?

I read about

Answer 1

Update: This solution does not seem to work anymore in many browsers. Kaitsu's comment:

This solution of sending false credentials to make browser forget the correct authenticated credentials doesn't work in Chrome (16) and IE (9). Works in Firefox (9).

---

Actually you can implement a workaround by sending false credentials to the service. This works in Browsers by sending another (non-existent?) Username without a password. The Browser loses the information about the authenticated credentials.

Example:

https://www.example.com/ => Log in with basic auth as "user1"

Now open

https://foobar@www.example.com/

You're Logged out. ;)

Regards

P.s.: But please test this with all needed Browsers before you rely on the given information.

Answer 2

If you have control over the server code, you can create a "logout" function that replies "401 Unauthorized" regardless of the credentials given. This failure forces browsers to remove saved credentials.

I just tested this with Chrome 34, IE 11, Firefox 25 - using Express.js server and HTTP basic authentication.