Practically nothing while in the spec says usually, and often you can't utilize a 401 in that circumstance since returning a 401 is just lawful should you include things like a WWW-Authenticate header. If HTTP authentication is not really in use as well as company contains a cookie-dependent authentication scheme http://pigpgs.com