diff --git a/lib/base.php b/lib/base.php
index fd8f39e0b8d54d796b4e883d37e9c8c180d2055b..16ce0973a95d32335897efeeb28d4b7db419e107 100644
--- a/lib/base.php
+++ b/lib/base.php
@@ -856,10 +856,7 @@ class OC {
 			} else {
 				// For guests: Load only filesystem and logging
 				OC_App::loadApps(array('filesystem', 'logging'));
-				$userSession = self::$server->getUserSession();
-				if (!$userSession->tryTokenLogin()) {
-					$userSession->tryBasicAuthLogin();
-				}
+				self::handleLogin($request);
 			}
 		}
 
@@ -905,6 +902,26 @@ class OC {
 		}
 	}
 
+	/**
+	 * Check login: apache auth, auth token, basic auth
+	 *
+	 * @param OCP\IRequest $request
+	 * @return boolean
+	 */
+	private static function handleLogin(OCP\IRequest $request) {
+		$userSession = self::$server->getUserSession();
+		if (OC_User::handleApacheAuth()) {
+			return true;
+		}
+		if ($userSession->tryTokenLogin($request)) {
+			return true;
+		}
+		if ($userSession->tryBasicAuthLogin($request)) {
+			return true;
+		}
+		return false;
+	}
+
 	protected static function handleAuthHeaders() {
 		//copy http auth headers for apache+php-fcgid work around
 		if (isset($_SERVER['HTTP_XAUTHORIZATION']) && !isset($_SERVER['HTTP_AUTHORIZATION'])) {
diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php
index 972f59fc00182d3bce4074218ba0b0722369b889..b72e4e1a1edd0eddad254f1d3cf051e4b5c7ea2f 100644
--- a/lib/private/User/Session.php
+++ b/lib/private/User/Session.php
@@ -332,7 +332,8 @@ class Session implements IUserSession, Emitter {
 	 * Tries to login the user with HTTP Basic Authentication
 	 * @return boolean if the login was successful
 	 */
-	public function tryBasicAuthLogin() {
+	public function tryBasicAuthLogin(IRequest $request) {
+		// TODO: use $request->server instead of super globals
 		if (!empty($_SERVER['PHP_AUTH_USER']) && !empty($_SERVER['PHP_AUTH_PW'])) {
 			$result = $this->login($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']);
 			if ($result === true) {
@@ -431,9 +432,7 @@ class Session implements IUserSession, Emitter {
 	 *
 	 * @todo check remember me cookie
 	 */
-	public function tryTokenLogin() {
-		// TODO: resolve cyclic dependency and inject IRequest somehow
-		$request = \OC::$server->getRequest();
+	public function tryTokenLogin(IRequest $request) {
 		$authHeader = $request->getHeader('Authorization');
 		if (strpos($authHeader, 'token ') === false) {
 			// No auth header, let's try session id