When looking at a Client-Side capture (either with Fidddler2 or with RealiTea Viewer), at some sites we see the client is making multiple requests for a page, or resource. The sequence is
- Request for /resource.do
- Response Status Code 407
- Request for /resource.do
- Response Status Code 407
- Request for /resource.do
- Response code 200 (and the page is returned)
This pattern indicates that there is a proxy between the client and the web server, and the proxy is configured to use a Challenge/Response Authentication scheme. Here are some additional details for that same sequence above:
- Request for /resource.do
- The browser sends no authentication headers in this request
- Response Status Code 407
- The proxy responds with a “Proxy Authentication Required” Status code and also tell the web server what kind of authentication is requried, eitehr basic or Challenge/Response
- Request for /resource.do
- The browser sends the request again, this time with a HTTP header that tells the proxy it wants to use Challenge/Response
- Response Status Code 407
- The proxy responds with the 407 status code, and additional it includes the Challenge information
- Request for /resource.do
- The browser sends the request again, this time with a HTTP header that includes the Response to the Challenge
- The proxy lets this request through to the web server
- Response code 200 (and the page is returned
- The server returns the response to the proxy, which passes it back to the browser.
This article by MSDN has further details and nice explanation http://msdn.microsoft.com/en-us/library/windows/desktop/aa383144(v=vs.85).aspx
