How can I suppress the browser's authentication dialog?

I encountered the same issue here, and the backend engineer at my company implemented a behavior that is apparently considered a good practice : when a call to a URL returns a 401, if the client has set the header X-Requested-With: XMLHttpRequest, the server drops the www-authenticate header in its response.

The side effect is that the default authentication popup does not appear.

Make sure that your API call has the X-Requested-With header set to XMLHttpRequest. If so there is nothing to do except changing the server behavior according to this good practice...


The browser pops up a login prompt when both of the following conditions are met:

  1. HTTP status is 4xx
  2. WWW-Authenticate header is present in the response

If you can control the HTTP response, then you can remove the WWW-Authenticate header from the response, and the browser won't popup the login dialog.

If you can't control the response, you can setup a proxy to filter out the WWW-Authenticate header from the response.

As far as I know (feel free to correct me if I'm wrong), there is no way to prevent the login prompt once the browser receives the WWW-Authenticate header.


I don't think this is possible -- if you use the browser's HTTP client implementation, it will always pop up that dialog. Two hacks come to mind:

  1. Maybe Flash handles this differently (I haven't tried yet), so having a flash movie make the request might help.

  2. You can set up a 'proxie' for the service that you're accessing on your own server, and have it modify the authentication headers a bit, so that the browser doesn't recognise them.