HTTP Basic Authentication - what's the expected browser experience?

Question

When a server allows access via Basic HTTP Authentication, what is the experience expected to be on the browser?

I typically just do this with curl:

curl -u myusername:mypassword http://somesite.com

And it works just fine. However, right now I don't have access to curl (long story), and I want to just do it from the web browser, if possible.

I thought the way Basic Auth was supposed to work was - I type in the url I want, the server then decides I'm not authorized, returns response code 401, and I type my username and password into a prompt. If it's correct, the page loads!

However, on somesite.com, I'm not getting an authorization prompt at all, just a page that says I'm not authorized. Did somesite not implement the Basic Auth workflow correctly, or is there something else I need to do?

Answer 1

You might have old invalid username/password cached in your browser. Try clearing them and check again.

If you are using IE and somesite.com is in your Intranet security zone, IE may be sending your windows credentials automatically.

Answer 2

WWW-Authenticate header

You may also get this if the server is sending a 401 response code but not setting the WWW-Authenticate header correctly - I should know, I've just fixed that in out own code because VB apps weren't popping up the authentication prompt.