Logging out of HTTP Basic Auth
#
One problem with it is that it's hard to log out users. Typically, the browser keeps sending the authentication headers until it is quit.
Michael Lucas-Smith came up with a somewhat hackish solution to this problem: Logging out of HTTP Basic Auth.
In the comments, Elliotte Rusty Harold points out it doesn't have to be so difficult:
Invalidating the realm is a good idea, but there's no reason to use a cookie to do it. As long as we're using cookies you might as well as use them for authentication. Better to give the user a button or some such on your site that invalidates the realm. You can time out the realm automtaicaly after a few hours of inactivity.