Logging out of HTTP Basic Auth

If you're down with the RESTifarians, you loves you some HTTP authentication. Baked right into the spec, it's got everything you need to log in users.

One problem with it is that it's hard to log out users. Typically, the browser keeps sending the authentication headers until it is quit.

Michael Lucas-Smith came up with a somewhat hackish solution to this problem: Logging out of HTTP Basic Auth.

In the comments, Elliotte Rusty Harold points out it doesn't have to be so difficult:

Invalidating the realm is a good idea, but there's no reason to use a cookie to do it. As long as we're using cookies you might as well as use them for authentication. Better to give the user a button or some such on your site that invalidates the realm. You can time out the realm automtaicaly after a few hours of inactivity.