.htaccess prompt for password

Actually it is working this way (simplified):

• browser sends request to your server without credentials
• Apache responses with 403 error because "require valid-user" was specified
• browser prompts for username & password
• browser sends request again, this time credentials are provided
• Apache verifies credentials against AuthUserFile and sets "valid-user" accordingly
• if everything is OK - puts out data with 200 status code
• browser that receives 200 code caches used credentials for the relevant domain until browser session expires

As you see - problem lays in browser. You cannot force browser to forget password it uses for a domain. And usually you don't want to - for example if password protected page contains images - browser would require username and password for each downloaded image.

However there are some tips you could try:

• you could write your own Apache authorization handler that only authorises user every second time it is accessing the page; but it's hard to do really
• you could use some kind of form-based authentication (in script like php or asp.net) instead of relying on http authentication; this way is quite flexible
• you could do a trick, that every time a protected page is accessed some kind of script changes the password in passwd file; then provide two passwords for each user and switch them on each request; this way browser always remember "wrong" password; it seems crazy but this is an easiest solution I could think of :-)