Http basic authentication mechanism

Question

• After the user requests a protected resource X the server responds with code 401.
• The browser prompts the user to inser user-name and password and automatically re-send the request to the server with those authentication information

My question is : is this process repeated over and over for each protected resource ?

Answer 1

Once the user input the password, the browser will remember it. each time the client request the resource at the same website, the browser will send the authentication header automatically.

Answer 2

Look at RFC 2617. There is stated for basic-athentication :

Upon receipt of an unauthorized request for a URI within the protection space, the origin server MAY respond with a challenge ...

and also

A client SHOULD assume that all paths at or deeper than the depth of
the last symbolic element in the path field of the Request-URI also
are within the protection space specified by the Basic realm value of the current challenge. A client MAY preemptively send the
corresponding Authorization header with requests for resources in
that space without receipt of another challenge from the server.
Similarly, when a client sends a request to a proxy, it may reuse a
userid and password in the Proxy-Authorization header field without
receiving another challenge from the proxy server.

So, from the server side this may occur at any request the the server deems unauthenticated. If resource Y does not share the prefix that had been yuthenticated with resource X then the server will re-request authentication.

For avoiding this the authentication scheme e.g. could request authentication for a common prefix of the related resources , such that authentication for prefix of resource X also covers resource Y as a prefix. This will allow the client to send the authentication header and cause the server to detect the call as already being authenticated.