Authorization header is broken after 302 redirect if you do a page reload immediately after redirect. When doing the reload header looks like this: Authorization: Basic dGVzdDp0ZXN0,Basic dGVzdDp0ZXN0 when it should be like this: Authorization: Basic dGVzdDp0ZXN0 Example code which reproduces the problem together with tcpdump of all headers can be found at: https://gist.github.com/874847 Open the page. Login with test and test. Reload a few times. Page loads fine. Then click the link which make 302 redirect back to original page. Now when you reload it asks for username and password again. If you check the logs you can see credentials are now broken. There is also another test page at http://www.appelsiini.net/bugs/safari_auth/ (user: test, password: test). However Apache can recover from broken header and does not ask for password again. If you sniff the traffic you can still see the broken header. Tested with Safari 5.0.4 (6533.20.27), Safari 5.0.3 (6533.19.4) and latest Webkit Nightly 5.0.3 (6533.19.4, r80833).