I'm not sure what browser you're using where each authenticated page request requires two hits, but IE will send authentication information for all subsequent hits in the same area without being asked. The first request obviously is rejected on the grounds that no authentication information is provided, but after that the browser should know to send it automatically.

I think you're mixing up cookies and auth here, or perhaps the caching of auth performed by a browser. A browser is not supposed to sent auth unless challenged. IE remembers that you auth'ed in an area (against a particular realm name), and resends its stored auth in the same area, but it can't know which auth to send until it gets a challenge with the realm name. And it can't get the challenge unless it sends it without auth the first time.

I just verified this in a basicauth protected area of my website. iCab gets it right, waiting for the challenge on each hit. And yes, NS and IE both do it wrong, sending an auth before being challenged. How sucky. How do they know which realm to send up? Or do they just do the most recent realm? That could be a security hole.

Ahh, RFC2617 agrees with both of us {grin}:

A client MAY preemptively send the corresponding Authorization header with requests for resources in that space without receipt of another challenge from the server. Similarly, when a client sends a request to a proxy, it may reuse a userid and password in the Proxy-Authorization header field without receiving another challenge from the proxy server. See section 4 for security considerations associated with Basic authentication.

Hmm. I did not know the preemptive auth send. Thanks for pointing that out to me.

-- Randal L. Schwartz, Perl hacker