Recently I had a need to allow users to change their login on an MVC site that used Windows authentication. Of course we did not want the user to log out of their machine to do it. The trick of course involved sending a 401 response, but how to do that and not get stuck in an endless loop.
The 401 Loop
It seemed simple enough, in fact too simple. You just return a 401 challenge and have them move on to their previous page. The 401 response is what presents the user with the Windows login popup. In reality the 401 response acts like a redirect on itself, so you get two page loads and it forgets any variables you set.
Well that simply would not do. Read the rest of this entry