Update: Jeff feels my pain. Here is how HTTP authentication is supposed to work:
In HTTP authentication, the browser uses a dialog box to get the user's credentials. It looks something like this.
A (perceived) downside to HTTP authentication is that web designers cannot control this dialog. Some people find this ugly nad its messes with website design and layout. As a result, many websites use what is called FORMs authentication, where the website collects a user's credentials in an HTML form, and submits them to the user. Unfortunately, Memestreams does an RFC-violating combination of the two. It responds to resources that require login with a 401, but without specifying the WWW-Authenticate header to tell the browser how to send the credentials back. What should happen is this:
Client Server
-------------->
GET /recommend/ HTTP/1.1
Client Server
<--------------
HTTP/1.1 302 Redirect
Location: /login/?returnURL=/recommend/
Client Server
-------------->
GET /login/?returnURL=/recommend/ HTTP/1.1
Client Server
<--------------
HTTP/1.1 200 Ok
[user files in username/password]
Client Server
-------------->
POST /login/?returnURL=/recommend/ HTTP/1.1
[post data with username and password]
Client Server
<--------------
HTTP/1.1 302 Redirect
Location: /recommend/
Set-Cookie: [set valid session cookie]
Client Server
-------------->
GET /recommend/ HTTP/1.1
Client Server
<--------------
HTTP/1.1 200 Ok
|