Clearing cookies didn't help because the password is saved by the browser, but it's not in a cookie defined in HTTP State Management Mechanism (RFC 6265), like for example session IDs:
== Server -> User Agent ==
Set-Cookie: SID=31d4d96e407aad42; Path=/; Secure; HttpOnly Set-Cookie: lang=en-US; Path=/; Domain=example.com
== User Agent -> Server ==
Cookie: SID=31d4d96e407aad42; lang=en-US
This kind of SIDs are used by more sophisticated authentication mechanisms that only checks once for a password and then trusts this user is authenticated based on only the presence of the cookie.
Instead, AuthType Basic uses Authorization = credentials header from HTTP Authentication (RFC 7235, 4.2). This is a very basic authentication mechanism that sends the credentials on every HTTP request, in format: credentials = auth-scheme [ 1*SP ( token68 / #auth-param ) ].
The browser keeps sending it until it gets new 401 Unauthorized status code in the HTTP response:
If a request is authenticated and a realm specified, the same credentials are presumed to be valid for all other requests within this realm (assuming that the authentication scheme itself does not require otherwise, such as credentials that vary according to a challenge value or using synchronized clocks).
One way to force this without actively configuring something to send 401 is to cause the user to use an URL with other username and password in it, i.e. http://forcelog:[email protected]/ (link or JS).
Browsers usually clears basic authentication information on restart. Additionally (not complete list):
- Chrome & Chromium clears it when you restart with
chrome://restart in address bar. - Firefox clears it when you clear history: Active Logins.
- Internet Explorer allows ActiveX control to clear it.
