NTLM Authentication - Clear Authenticated Sessions

[stealth86]

I'm working on an intranet site that uses NTLM authentication. Authentication is handled with the mod_auth_sspi module for apache. It works fine, but the browser caches the authenticated session until you manually clear it or shut down the browser.

 

Is there any good way to clear this cache from code? I've seen a java script call that will clear all authenticated sessions from IE, but I'd really like to only remove the one. I've also seen a bit of javascript code to try and insert bogus information to the cache, but this seems pretty unreliable.

 

Is there a way to clear a single entry out of the authentication cache using php? (Firefox/IE) More fundamentally, are there better libraries for apache (or php) to do NTLM with? (I run apache in Windows.)

 

Thanks!

[cooldude832]

if its a php session ($_SESSION) you can clear it by saying

<?php
session_start();
$_SESSION['CLEARME'] = "";
?>

Cookies can be set to delete

 

Also you can set your page headers to be no-cache to help

[stealth86]

if its a php session ($_SESSION) you can clear it by saying

<?php
session_start();
$_SESSION['CLEARME'] = "";
?>

Cookies can be set to delete

 

Also you can set your page headers to be no-cache to help

 

NTLM doesn't actually use cookies or PHP sessions . Also, its not a problem that individual pages are cached, its a problem that the users credentials are cached and there doesn't seem to be a way to delete these from PHP.

 

I ran across a bug report on this issue in Firefox, and it seems like this just might be impossible. Can anyone confirm or deny this?