Rails 2.3.x. The app you tested this on, what's the password procedure like? One part of problem is doing a password procedure like "Users[name]" where Users is a hash of usernames/passwords. Also I believe this just effects folks doing digest auth (authenticate_or_request_with_http_digest) not basic auth (authenticate_or_request_with_http_basic)