Vendanand if they got that response back from a post with their username/password, that would cause them to make a post with username/password to the web app (not many browsers do this according to spec, but a 303 is spec for "make a GET to this url")
