Help: Clear Kerberos Logins Information

Ken Dreyer ktdreyer at
Sun Mar 10 18:38:36 EDT 2013

Hi Lee,

The way that I do this is I combine PHP's sessions with mod_auth_kerb.
I use mod_auth_kerb to protect only a single "login" or "session" URL,
say, "/session/http". When the user successfully does Kerberos auth to
Apache, I grab the REMOTE_USER variable as the user's login name, and
store that in a PHP session.

The rest of the web application is not protected by mod_auth_kerb. I
just rely on the PHP session to determine whether a user is logged in
or not.

To cause the user to log out, I just have to discard the PHP session
in the application's code.

This method also has the added bonus of loosely coupling Kerberos from
your application. Kerberos can be just one of several available login
mechanisms that you present to the user.

The downside is that instead of simply checking REMOTE_USER
everywhere, you now need to use PHP's session handling. Ideally, if
you're using some sort of web application framework, the intricacies
of session handling are abstracted away for you, and it's simple to
register new sessions, "login" or "logout" a user, etc.

- Ken

On Tue, Mar 5, 2013 at 9:53 AM, Lee Eric <openlinuxsource at> wrote:
> Hi,
> My site(Apache httpd + mod_auth_kerb) is using Kerberos as
> authentication method and written by PHP. Is there possible that I can
> use PHP codes like Logout to "cleat" Kerberos login credentials? Then
> after page refresh user can input username/password again.
> I noticed that Firefox and Chrome can do this to clean active logins.
> Just don't know how to do that.
> Here's my Kerberos configs in httpd.
>   AuthType Kerberos
>   AuthName "Kerberos Login"
>   require valid-user
>   KrbMethodNegotiate On
>   Krb5Keytab "/etc/httpd/httpd.keytab"
> Thanks.
> Eric
> ________________________________________________
> Kerberos mailing list           Kerberos at

More information about the Kerberos mailing list