Are there any standards for using HTTP headers for login success / fail responses?
The header that the server sends is either the 200 OK or 401 denied status codes on success or failure.
See http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html Section 10.4.2 401 Unauthorized for this.
When sending the 401, the server must send a
WWW-Authenticate = "WWW-Authenticate" ":" 1#challenge
to indicate what scheme should be used to authenticate.
See http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html Section 14.47 WWW-Authenticate for this.