Invalidate credentials if the server rejects them.

net/http/http_auth_handler_basic.cc

Index: net/http/http_auth_handler_basic.cc
diff --git a/net/http/http_auth_handler_basic.cc b/net/http/http_auth_handler_basic.cc
index e48aa6761ebfc40c886513169e0f2c4b92429971..9ed28e2063297c119a647595e0086d9643e0af45 100644
--- a/net/http/http_auth_handler_basic.cc
+++ b/net/http/http_auth_handler_basic.cc
@@ -53,9 +53,20 @@ bool HttpAuthHandlerBasic::ParseChallenge(
 
 HttpAuth::AuthorizationResult HttpAuthHandlerBasic::HandleAnotherChallenge(
     HttpAuth::ChallengeTokenizer* challenge) {
-  // Basic authentication is always a single round, so any responses should
-  // be treated as a rejection.
-  return HttpAuth::AUTHORIZATION_RESULT_REJECT;
+  // Basic authentication is always a single round, so any responses
+  // should be treated as a rejection.  However, if the new challenge
+  // is for a different realm, then indicate the realm change.
+  HttpUtil::NameValuePairsIterator parameters = challenge->param_pairs();
+  std::string realm;
+  while (parameters.GetNext()) {
+    if (LowerCaseEqualsASCII(parameters.name(), "realm")) {
+      realm = parameters.value();
+      break;

[wtc, 2011/02/22 23:17:32]

Nit: this while loop should match the while loop in
ParseChallenge (lines 41-45 exactly).

If multiple 'realm' parameters are present, that while loop
takes the last one whereas this while loop takes the first
one.

Your HttpAuthHandlerDigest::HandleAnotherChallenge doesn't
have a 'break' statement in the while loop either.

[asanka, 2011/02/23 18:06:40]

Will fix in a new CL.
In the Digest case, that was to give precedence to the "stale" directive if
there was one, but that has the side-effect of picking the last 'realm'
directive if there is more than one.

+    }
+  }
+  return (realm_ != realm)?
+      HttpAuth::AUTHORIZATION_RESULT_DIFFERENT_REALM:
+      HttpAuth::AUTHORIZATION_RESULT_REJECT;
 }
 
 int HttpAuthHandlerBasic::GenerateAuthTokenImpl(