The Rest of the HTTP-Auth Story
The missing piece in all of this information is what happens if the user credentials are embedded in the first request for the information. Does the server always send a 401 on the first request?
The answer is that the server always looks for user credentials and sends the 401 code only if protected information has been requested without corresponding credentials. This exchange is the key, and missing from most online resources that detail HTTP-Auth. (Alas, dear reader, it is also information that I withheld in this discussion so far, to place the information in the correct context. My apologies.)
The real process the server goes through when dealing with requests requiring authorization looks more like the process in Figure 4 than that shown in Figure 3—it checks for authorization credentials on every request, including the first one.
Figure 4 The missing link: The server checks for credentials on each request.
If a script includes the correct required credentials in the original request, the web server looks for, finds, parses, and uses the supplied credentials during the first request, and provides the requested information. Therefore, clients don’t have to send an original request, wait for the 401 response, and then resend the request with appropriate credentials. It can all be handled with one properly formatted request.