The HTTP protocol has mechanisms for authentication. A server receiving an unauthorized request for a protected resource returns a 401 response status code along with a WWW-authenticate header which indicates what authentication scheme is required to access the protected resource. The request must be redone with an appropriate authorization header in the next request. An HTTP proxy can also add a layer of authentication that uses Proxy-authenticate and Proxy-authorization headers in the same way.

One of the standard HTTP authenticate schemes is HTTP Basic authentication, which requires all user requests for a resource to have a valid user name and password to access information within the protected realm, which is a portion of the web site. To prevent re-authenticating each request, the HTTP client (web browser) stores the user name and password in order to supply them for every request.

However, the HTTP server cannot force the browser to clear the user name and password because they are cached per protected realm on the client side. Thus, the HTTP server cannot force re-authentication. This limitation can be addressed by using an alternative authentication mechanism, such as a single sign-on tool.