I have this secured admin area under /admin/. Users need to be logged in via an HTTP basic auth (http_basic set to true in security.yml).
My goal is, for specific action in specific controller, to re-ask user for his username/password. I thought this would be simple but as per my research, it appears it is not.
I have tried to unset both $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] but it seems to have no effect. I also tried to change header to set a 401 status code but this has not effect either.
How can this be achievable?
First of all, the HTTP Basic Authentication has NOT been designed to support the log out.
That means you can not guarantee it on every browser ; even with the 401 trick nor with the redirection [email protected] to invalidate the credentials.
See this answer.
So this is a bad habit to use it when you need to log out your user.
You should use the custom authentication provided by FOSUserBundle if you want to re-ask the user's credentials. And it's pretty simple & secure.