1. client requests for a protected resource without supplying credential
2. server sends response with a 401 (unauthorized) status and WWW-Authenticate
challenge header
3. client presents authentication realm to user and asks for username and password
(actual implementation is user-agent dependent)
4. client constructs credential string using Base64-encoding (rfc 2045) and
resends original request but with authorisation header
GET /secret/index.html HTTP/1.1
Host: www.company.com
Authorization: Basic xXN0d....
5. server verifies credentials and sends resource