The Medical
University of South Carolina   About MUSC  ·  Education  ·  Medical Center  ·  Research  ·  Library   
The IT Lab




About IT Lab
The IT Lab Team
Add an Update

Logging out When Using .htaccess Authentication

This tool makes it easy to add logout buttons to web pages that use .htaccess authentication.


  1. Download nph-logout.cgi.
  2. Put it into into the same directory as your .htaccess file.
  3. Link to it from your pages.


Visit the example page. Use the following username and password to login.

Username test
Password test


where to redirect when the user chooses not to log back in after logging out (ie. when the user pushes cancel on the login dialog (optional)
where to redirect when the user immediately logs back in (optional)

Usage Notes

Logging out with this script prevents a user from doing anything on protected pages that requires communication with the server. Logging out using this script does not prevent a user from hitting the back button on the browser and seeing the protected pages. It does prevent the user from doing anything on those pages.

A way to protect against the user seeing protected pages after logging out is to make the browser not cache those pages. This can be done by putting the folloing tags in the <head> of your pages:

<meta http-equiv="pragma" content="no-cache" />
<meta http-equiv="expires" content="0" />

Installation Notes

Make sure nph-logout.cgi has executable permissions (run "chmod +x nph-logout.cgi") and make sure the directory is setup to execute CGI scripts (make sure the line "Options ExecCGI" is in the .htaccess file). Make sure the web server treats the script as a non-parsed-header script. Apache's default configuration treats all scripts named with an "nph-" prefix as non-parsed-header scripts.


This script is known to work with with Perl 5.8 and Apache 1.3 on Linux. The following web browsers are known to work with this script: Netscape 4.x and above, Mozilla, and Internet Explorer. The post-logout redirection doesn't work in IE.


CPAN modules: CGI and File::Basename

How it Works

The script tells the browser the user is no longer logged in by by sending it a standard HTTP "401 Unauthorized" header. This is possible because the script is a non-parsed-header script. The web server passes the header output by the CGI script directly to the browser untouched. The entire HTTP header is generated by the script. The script also does some fancy redirection to provide a smooth, user-friendly logout experience.

See the source code comments for details.


Copyright (C) 2003 Robert Gorlitsky

This script is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

This script is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

Author: Robert Gorlitsky ( one of the friendly folks at the MUSC IT Lab

Last Modified Thursday, 14-Aug-2003 17:29:46 EDT