- On 401 (unauthorized) responses for ajax calls, pass false to next() to stop the handler chain
- Fix the 401 response on ajax requests to call send() rather than simply setting the status (which can be overriden by later handlers in the chain)
- Send a 401 (unauthorized) instead of redirecting to login when we detect that the request is an XHR