on login error CMSimple_XH responds with "401 Unauthorized". But RFC 2616 states:
As a WWW-Authenticate header field would be not reasonable for security_type "page" or "javascript", this should better be changed to a "403 Forbidden" response.10.4.2 401 Unauthorized
The request requires user authentication. The response MUST include a
WWW-Authenticate header field (section 14.47) containing a challenge
applicable to the requested resource.
Christoph