CherryPy with HTTP digest authentication stuck on status 400 Bad Request

Question

I implemented HTTP digest authentication in my CherryPy application using the built-in tools.auth_digest tool. This was easy and seemed to work well as I tested during the day.

This evening, I attempted to access the application from the same browser I used earlier today (but from a different IP address). For whatever reason I was prompted for credentials. I may have entered the wrong password but, again for whatever reason, I got into the situation where my browser is sending an authentication header with each request, but with username="".

Cherrypy responds to this with a status of 400 Bad Request.

I'm now in a situation where I can't enter new credentials to get into the site (with this browser — I can use a browser that's not "polluted" with the bad authorization header without trouble). To enter new credentials, my understanding is that CherryPy should return 401 Unauthorized, which should prompt the browser to request credentials.

My two part question is:

1. What can I do to clear the authorization info on my browser?

2. Am I correct that the correct response to this situation should be 401 Unauthorized rather than 400 Bad Request?

Answer 1

As pointed out by Perception in the comments, the browser will forget the credentials when closed. I'm guessing that when I tested this and thought I saw the browser remembering credentials between browser sessions that I must have had Chrome open in several different windows simultaneously.