The typical procedure of a Authentication and Authorization in a website is as follows:

• The client asks for a page that requires authentication but does not provide a user name and password. Typically this is because the user simply entered the address or followed a link to the page.
• The server responds with the 401 response code and provides the authentication realm.
• At this point, the client will present the authentication realm (typically a description of the computer or system being accessed) to the user and prompt for a user name and password. The user may decide to cancel at this point.
• Once a user name and password have been supplied, the client adds an authentication header (with value base64encode(username+":"+password)) to the original request and re-sends it.
• In this example, the server accepts the authentication and the page is returned. If the user name is invalid or the password incorrect, the server might return the 401 response code and the client would prompt the user again.