Below are two examples. The first one demonstrates the problem on a site that has the challenge page enabled in front of the login page. The second demonstrates nonexistence of the problem on a site the is not using the challenge page. However, the site used in the second example does present the problem when the challenge page is enabled.
Some information is redacted and highlighted by surrounding underscores _.
######## Server-side httpd logs
Instance WITH the problem (challenge enabled)
Initial load (while CF challenge page is pending)
REDACTED - - [04/Dec/2019:16:17:53 -0500] “GET https://DOMAIN_1/wp-admin” 301 178 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36” – RQT:-/0.000 XFF:REDACTED CFRAY:5400cf4a7d45e3ce-ATL
REDACTED - - [04/Dec/2019:16:17:53 -0500] “GET https://DOMAIN_1/wp-admin/” 302 5 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36” – RQT:0.000/0.001 XFF:REDACTED CFRAY:5400cf4acde9e3ce-ATL
REDACTED - - [04/Dec/2019:16:17:53 -0500] “GET https://DOMAIN_1/wp/wp-admin/” 302 5 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36” – RQT:0.200/0.199 XFF:REDACTED CFRAY:5400cf4b0e7be3ce-ATL
After challenge page complete, these are the requests which result in the 401 (auth required) response. Here you are seeing the first attempted load, plus 3 requests where I have actually submitted the login info.
REDACTED - - [04/Dec/2019:16:17:58 -0500] “GET https://DOMAIN_1/wp/wp-login.php?redirect_to=https%3A%2F%2F_DOMAIN_1_%2Fwp%2Fwp-admin%2F&reauth=1” 401 590 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36” – RQT:-/0.000 XFF:REDACTED CFRAY:5400cf65fc69e3ce-ATL
REDACTED - - [04/Dec/2019:16:18:04 -0500] “GET https://DOMAIN_1/wp/wp-login.php?redirect_to=https%3A%2F%2F_DOMAIN_1_%2Fwp%2Fwp-admin%2F&reauth=1” 401 590 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36” – RQT:-/0.000 XFF:REDACTED CFRAY:5400cf8c1a21e3ce-ATL
REDACTED - - [04/Dec/2019:16:18:05 -0500] “GET https://DOMAIN_1/wp/wp-login.php?redirect_to=https%3A%2F%2F_DOMAIN_1_%2Fwp%2Fwp-admin%2F&reauth=1” 401 590 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36” – RQT:-/0.000 XFF:REDACTED CFRAY:5400cf96090de3ce-ATL
REDACTED - - [04/Dec/2019:16:18:07 -0500] “GET https://DOMAIN_1/wp/wp-login.php?redirect_to=https%3A%2F%2F_DOMAIN_1_%2Fwp%2Fwp-admin%2F&reauth=1” 401 590 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36” – RQT:-/0.000 XFF:REDACTED CFRAY:5400cf9e3b41e3ce-ATL
Once the 3 logins failed, I hit cancel so that no more requests are sent. Then I wait a couple seconds, go to the URL/Address bar, hit enter to visit the page. The HTTPAUTH login prompt pops up, I input a correct login, and you see the very next request actually shows success (HTTP 200). *** Take note of the fact that now the USERNAME is only now being recognized at the destination server with the request
REDACTED - - [04/Dec/2019:16:18:14 -0500] “GET https://DOMAIN_1/wp/wp-login.php?redirect_to=https%3A%2F%2F_DOMAIN_1_%2Fwp%2Fwp-admin%2F&reauth=1” 401 590 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36” – RQT:-/0.000 XFF:REDACTED CFRAY:5400cfcc3d33e3ce-ATL
REDACTED - USERNAME [04/Dec/2019:16:18:16 -0500] “GET https://DOMAIN_1/wp/wp-login.php?redirect_to=https%3A%2F%2F_DOMAIN_1_%2Fwp%2Fwp-admin%2F&reauth=1” 200 1290 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36” – RQT:0.208/0.208 XFF:REDACTED CFRAY:5400cfd96b35e3ce-ATL
REDACTED - USERNAME [04/Dec/2019:16:18:16 -0500] “GET https://DOMAIN_1/wp/wp-admin/load-styles.php?c=1&dir=ltr&load%5B%5D=dashicons,buttons,forms,l10n,login&ver=4.7.2” 200 38637 “https://DOMAIN_1/wp/wp-login.php?redirect_to=https%3A%2F%2F_DOMAIN_1_%2Fwp%2Fwp-admin%2F&reauth=1” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36” – RQT:0.012/0.013 XFF:REDACTED CFRAY:5400cfdafee9e3ce-ATL
Instance WITHOUT the problem (challenge disabled)
Initial load. No CF challenge page involved, so we immediately get a HTTP 401 rather than HTTP 302 for the challenge page
REDACTED - - [04/Dec/2019:16:27:02 -0500] “GET https://DOMAIN_2/wp-admin/” 302 5 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36” – RQT:0.016/0.018 XFF:REDACTED CFRAY:5400dcb11bf73880-ATL
REDACTED - - [04/Dec/2019:16:27:02 -0500] “GET https://DOMAIN_2/wp-login.php?redirect_to=https%3A%2F%2F_DOMAIN_2_%2Fwp-admin%2F&reauth=1” 401 590 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36” – RQT:-/0.000 XFF:REDACTED CFRAY:5400dcb18c303880-ATL
Entering the correct login, it works the first time. The username is recognized and permitted to fetch the page.
REDACTED - USERNAME [04/Dec/2019:16:27:07 -0500] “GET https://DOMAIN_2/wp-login.php?redirect_to=https%3A%2F%2F_DOMAIN_2_%2Fwp-admin%2F&reauth=1” 200 1112 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36” – RQT:0.024/0.023 XFF:REDACTED CFRAY:5400dcd15ca33880-ATL
REDACTED - USERNAME [04/Dec/2019:16:27:07 -0500] “GET https://DOMAIN_2/wp-admin/load-styles.php?c=1&dir=ltr&load%5B%5D=dashicons,buttons,forms,l10n,login&ver=4.9.4” 200 38631 “https://DOMAIN_2/wp-login.php?redirect_to=https%3A%2F%2F_DOMAIN_2_%2Fwp-admin%2F&reauth=1” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36” – RQT:0.004/0.005 XFF:REDACTED CFRAY:5400dcd1ecd73880-ATL