Firefox has a very annoying “feature” – it remembers any HTTP authentication tokens for as long as Firefox remains open. Any by “open”, I mean “the browser is running”, not “the tab/window is open”.
Why is this bad? For several reasons. One, it makes cross-site scripting attacks easier. Once you login to a web site that uses HTTP authentication, you’ll stay logged in. If you leave Firefox running for days, you’re vulnerable for days.
Two, suppose you want to login to the same site with different credentials. Perhaps you have both an admin account and a regular user account, and you want to switch between them. Or perhaps you are setting up a site and need to test another user’s login. The only way to do this with Firefox now (as of 3.0.13) is to completely quit the browser and restart.
Enter: the Web Developer extension. This is a great extension, but it has far more features than you’re likely to need. On the other hand, it is great for dissecting web sites, viewing table borders, and eliminating annoying CSS themes. And it has a way to clear HTTP authentication tokens.
Install the extension. If you prefer, hide the “Web Developer” tool bar. Now to log out of HTTP auth, navigate through the menus Tools -> Web Developer -> Miscellaneous -> Clear Private Data -> HTTP Authentication.
Warning: basic HTTP authentication is not secure. Digest HTTP authentication is better. You should only use either of these with HTTPS, so your transport is encrypted end to end.
Update 2009-11-25: Since upgrading to Firefox 3.5, you no longer need this extension to log out of HTTP auth. As noted in the comments below, go to Tools -> Clear Recent History -> Details, check only “Active Logins”, and then press “Clear Now”.