As far as I understand, it's cached by the browsers in order to eliminate the need to constantly log in everytime you access/refresh a page. see Apache article regarding basic authentication (scroll down about half way through page) .

Yeah,that it is meant to be but is there something to unset it for example I want to logout of the site so I would need that $_SERVER['PHP_AUTH_USER'] variable anymore?I mean can it work like sessions or cookies?

not as far as I can tell...there is a section in the php manual that explains forcing a new login prompt to be displayed in some browsers (see example # 3 here) . -- but seems to be no way to unset the variable itself

is there a reason to not just use a session/cookie, login form, and a user/password database?

not having database connectivity would definitely thwart setting up your own log in/out system...

as far as security goes, basic authentication is about the worst, as it sends unencrypted 'plain text' which anyone who might be sniffing on the network can surely grab. Does the third party connection come over a secure connection ( https://) ?

sessions are definitely your best bet, I usually use them in conjunction with a username/encrypted password from a mysql database...

my pleasure...