I use XMLHttpRequest and basic-auth to access application interface. Password is temorary and is generated by other request, so it expires after some time.
But browser (Firefox least) keep using old one, failing and showing login popup. If i suppress popup by returning 403 for requests with X-Requested-By and wrong password, mozilla never tries to use new password (firebug shows new password in request, server receives old).
Problem can be evaded by adding random ‘salt’ to username (and stripping it at server side), but is there better way to force XMLHttpRequest use provided password instead of cached?
401 responses include an "authentication domain," which defaults to the all URLs on the server (see RFC 2617). The browser is expected to provide the same credentials to any challenge from the same domain.
Since you’re already generating an expiring password, why not simply turn it into a token that has to be appended to every request? For example an SHA1 hash of the username, perhaps salted with a timestamp. I’m assuming that you’ll use this as a key on the server to retrieve the user’s data.