Update: Jeff feels my pain.

Here is how HTTP authentication is supposed to work:

In HTTP authentication, the browser uses a dialog box to get the user's credentials. It looks something like this.

A (perceived) downside to HTTP authentication is that web designers cannot control this dialog. Some people find this ugly nad its messes with website design and layout. As a result, many websites use what is called FORMs authentication, where the website collects a user's credentials in an HTML form, and submits them to the user.

Unfortunately, Memestreams does an RFC-violating combination of the two. It responds to resources that require login with a 401, but without specifying the WWW-Authenticate header to tell the browser how to send the credentials back.

What should happen is this:

Client                          Server
            -------------->
        GET /recommend/ HTTP/1.1

Client                          Server
            <--------------
        HTTP/1.1 302 Redirect
        Location: /login/?returnURL=/recommend/

Client                          Server
            -------------->
        GET /login/?returnURL=/recommend/ HTTP/1.1

Client                          Server
            <--------------
        HTTP/1.1 200 Ok

[user files in username/password]

Client                          Server
            -------------->
        POST /login/?returnURL=/recommend/ HTTP/1.1
        [post data with username and password]

Client                          Server
            <--------------
        HTTP/1.1 302 Redirect
        Location: /recommend/
        Set-Cookie: [set valid session cookie]

Client                          Server
            -------------->
        GET /recommend/ HTTP/1.1

Client                          Server
            <--------------
        HTTP/1.1 200 Ok