There seems to be 2 HTTP Authentication: Basic access authentication and Digest access authentication
So I think in general, a user tries to access a URL, and the web server returns 401 Unauthorized, and then the browser pops up an app window, asking for username and password, and then set the credentials in the HTTP headers then sends the HTTP request again.
What about http://peter:[email protected] ? Is that supposed to not wait for the 401 to come back but provide the username and password in advance? Some how, I tried http://peter:[email protected] or yahoo but inside of Fiddler (to monitor net traffic), I don't see any credential info in the HTTP request?
You still need to send the 401 on the server side. The user:pass@host is just a convenience to avoid displaying the login dialog.
If you think about it, this makes sense, because if you don't send the 401 with the header explaining which method to use, the client doesn't know how to format the credentials.
(There are actually any number of schemes, not just Basic and Digest.)