As far as I understand, it's cached by the browsers in order to eliminate the need to constantly log in everytime you access/refresh a page. see Apache article regarding basic authentication (scroll down about half way through page).

Yeah,that it is meant to be but is there something to unset it for example I want to logout of the site so I would need that $_SERVER['PHP_AUTH_USER'] variable anymore?I mean can it work like sessions or cookies?

not as far as I can tell...there is a section in the php manual that explains forcing a new login prompt to be displayed in some browsers (see example # 3 here). -- but seems to be no way to unset the variable itself


is there a reason to not just use a session/cookie, login form, and a user/password database?

First of all the site I am editing has no database management and authentication username and password comes from third party sites not from the site.Second,I think sessions/cookie cannot handle great security on the site.If I push to handle this issues by applying database management,I will have to edit the whole site itself...

What do you think?

not having database connectivity would definitely thwart setting up your own log in/out system...

as far as security goes, basic authentication is about the worst, as it sends unencrypted 'plain text' which anyone who might be sniffing on the network can surely grab. Does the third party connection come over a secure connection (https://) ?

sessions are definitely your best bet, I usually use them in conjunction with a username/encrypted password from a mysql database...

OK,thanks for your help and time...

my pleasure...