When looking at a Client-Side capture (either with Fidddler2 or with RealiTea Viewer), at some sites we see the client is making multiple requests for a page, or resource. The sequence is
- Request for /resource.do
- Response Status Code 407
- Request for /resource.do
- Response Status Code 407
- Request for /resource.do
- Response code 200 (and the page is returned)
This pattern indicates that there is a proxy between the client and the web server, and the proxy is configured to use a Challenge/Response Authentication scheme. Here are some additional details for that same sequence above:
- Request for /resource.do
- The browser sends no authentication headers in this request
- Response Status Code 407
- The proxy responds with a “Proxy Authentication Required” Status code and also tell the web server what kind of authentication is requried, eitehr basic or Challenge/Response
- Request for /resource.do
- The browser sends the request again, this time with a HTTP header that tells the proxy it wants to use Challenge/Response
- Response Status Code 407
- The proxy responds with the 407 status code, and additional it includes the Challenge information
- Request for /resource.do
- The browser sends the request again, this time with a HTTP header that includes the Response to the Challenge
- The proxy lets this request through to the web server
- Response code 200 (and the page is returned
- The server returns the response to the proxy, which passes it back to the browser.
This article by MSDN has further details and nice explanation http://msdn.microsoft.com/en-us/library/windows/desktop/aa383144(v=vs.85).aspx
Hi Bill, this is interesting. We encountered something similar, but with 401s. My assumption is that the 401 indicates the request for authentication from the SERVER rather than the PROXY?
ReplyDeleteCheers,
Marilyn