When I try access anything (e.g. /xyz.html) on an author system, Magnolia sends the login form instead, which is perfectly fine. However Magnolia sends this with status code 401, which is also correct from a point of view that it shouldn't be 200, but it's still a problem. Just read on.

On all author systems that I have seen live in my career the responsible server admin placed an additional HTTP Basic authentication in front.

This causes the following problem on Chrome:

• User requests /xyz.html
• Web server sends 401 and requests Basic authentication as configured by server admin.
• Chrome displays login box
• User submits HTTP authentication credentials
• Web server accepts them, and Magnolia sends the Magnolia login form as 401
• Chrome sees 401 and instead of displaying the page sent by the server (=login form) it displays the login box again, assuming a previous authentication failure
• This happens three times, then Chrome says the page can't be loaded.

It works in all other browsers.

I filed this as a Chrome bug, but to my surprise they said the problem is with you, which I understand. They quoted RFC 2616:

10.4.2 401 Unauthorized

The request requires user authentication. The response MUST include a
WWW-Authenticate header field (section 14.47) containing a challenge
applicable to the requested resource.

You are violating this when you send the login form as 401 without including a WWW-Authenticate header, which you are really doing (or not doing) here.

The result is so common from my experience that I'm really surprised that this bug hasn't been addressed yet: All of my Magnolia customers are complaining that their author systems aren't working on Chrome. So, ... I thought I should file this as a bug now just in case you're really still unaware of it.