but as the user is now logged in we don't need the username:password@ part anymore.
Why this works? For access to protected area to succeed browser should post Authorization header, isn't it? If we no longer post username and password in url, does this mean that browser silently begins to use Authorization header?
Can you please explain or give an url to read more on it?
Yes, exactly. Most browser cache the login information and send the appropriate Authorization header on each request.
BTW, IIRC Mozilla Firefox will display a messagebox "Do you really want to login using the following user/pass-combination" if redirected to http://user:pass@.../.