.htaccess prompt for password
Actually it is working this way (simplified):
- browser sends request to your server without credentials
- Apache responses with 403 error because "require valid-user" was specified
- browser prompts for username & password
- browser sends request again, this time credentials are provided
- Apache verifies credentials against AuthUserFile and sets "valid-user" accordingly
- if everything is OK - puts out data with 200 status code
- browser that receives 200 code caches used credentials for the relevant domain until browser session expires
As you see - problem lays in browser. You cannot force browser to forget password it uses for a domain. And usually you don't want to - for example if password protected page contains images - browser would require username and password for each downloaded image.
However there are some tips you could try:
- you could write your own Apache authorization handler that only authorises user every second time it is accessing the page; but it's hard to do really
- you could use some kind of form-based authentication (in script like php or asp.net) instead of relying on http authentication; this way is quite flexible
- you could do a trick, that every time a protected page is accessed some kind of script changes the password in
passwd
file; then provide two passwords for each user and switch them on each request; this way browser always remember "wrong" password; it seems crazy but this is an easiest solution I could think of :-)