Practically nothing while in the spec claims otherwise, and infrequently You cannot utilize a 401 in that condition for the reason that returning a 401 is only lawful for those who include a WWW-Authenticate header. If HTTP authentication is not in use plus the services incorporates a cookie-dependent authentication scheme http://pigpgs.com
