Absolutely nothing in the spec says usually, and infrequently you can't make use of a 401 in that predicament due to the fact returning a 401 is only lawful if you include a WWW-Authenticate header. This is as simple as it receives, but might be incriminating if there is even http://pigpgs.com