diff --git a/djblets/webapi/auth.py b/djblets/webapi/auth.py
--- a/djblets/webapi/auth.py
+++ b/djblets/webapi/auth.py
@@ -35,6 +35,16 @@ from djblets.webapi.decorators import webapi
 from djblets.webapi.errors import LOGIN_FAILED
 
 
+def check_login(request):
+    """Checks if a login request was made.
+
+    If the client specifies a HTTP_AUTHORIZATION header, this will attempt
+    to authenticate using a supported authentication method.
+    """
+    if 'HTTP_AUTHORIZATION' in request.META:
+        basic_access_login(request)
+
+
 def basic_access_login(request):
     try:
         realm, encoded_auth = request.META['HTTP_AUTHORIZATION'].split(' ')
@@ -45,12 +55,19 @@ def basic_access_login(request):
     if realm != 'Basic':
         return
 
-    user = auth.authenticate(username=username, password=password)
+    # Don't authenticate if a user is already logged in and the
+    # username matches.
+    #
+    # Note that this does mean that a new password will fail. However,
+    # the user is already logged in, and querying the backend for every
+    # request is excessive, so it's a tradeoff. The user already has access
+    # to the server at this point anyway.
+
+    if request.user.is_anonymous() or request.user.username != username:
+        user = auth.authenticate(username=username, password=password)
 
-    if user and user.is_active:
-        auth.login(request, user)
-        user.last_login = datetime.now()
-        user.save()
+        if user and user.is_active:
+            auth.login(request, user)
 
 
 @require_POST
@@ -65,8 +82,6 @@ def account_login(request, *args, **kwargs):
         return WebAPIResponseError(request, LOGIN_FAILED)
 
     auth.login(request, user)
-    user.last_login = datetime.now()
-    user.save()
 
     return WebAPIResponse(request)
 
diff --git a/djblets/webapi/decorators.py b/djblets/webapi/decorators.py
--- a/djblets/webapi/decorators.py
+++ b/djblets/webapi/decorators.py
@@ -82,21 +82,12 @@ def webapi_login_required(view_func):
     returned.
     """
     def _checklogin(*args, **kwargs):
-        from djblets.webapi.auth import basic_access_login
-
         request = _find_httprequest(args)
 
-        if not request.user.is_authenticated():
-            # See if the request contains authentication tokens
-            if 'HTTP_AUTHORIZATION' in request.META:
-                basic_access_login(request)
-
         if request.user.is_authenticated():
-            response = view_func(*args, **kwargs)
+            return view_func(*args, **kwargs)
         else:
-            response = WebAPIResponseError(request, NOT_LOGGED_IN)
-
-        return response
+            return WebAPIResponseError(request, NOT_LOGGED_IN)
 
     view_func.login_required = True
 
diff --git a/djblets/webapi/resources.py b/djblets/webapi/resources.py
--- a/djblets/webapi/resources.py
+++ b/djblets/webapi/resources.py
@@ -8,6 +8,7 @@ from django.views.decorators.vary import vary_on_headers
 
 from djblets.util.decorators import augment_method_from
 from djblets.util.misc import never_cache_patterns
+from djblets.webapi.auth import check_login
 from djblets.webapi.core import WebAPIResponse, \
                                 WebAPIResponseError, \
                                 WebAPIResponsePaginated, \
@@ -242,6 +243,8 @@ class WebAPIResource(object):
     @vary_on_headers('Accept')
     def __call__(self, request, api_format=None, *args, **kwargs):
         """Invokes the correct HTTP handler based on the type of request."""
+        check_login(request)
+
         method = request.method
 
         if method == 'POST':