I'm not sure what browser you're using where each authenticated page request requires two hits, but IE will send authentication information for all subsequent hits in the same area without being asked. The first request obviously is rejected on the grounds that no authentication information is provided, but after that the browser should know to send it automatically.
I think you're mixing up cookies and auth here, or
perhaps the caching of auth performed by a browser.
A browser is not supposed to sent
auth unless challenged. IE remembers that you auth'ed in an area (against
a particular realm name), and resends
its stored auth in the same area, but it can't know which auth to send until
it gets a challenge with the realm name. And it can't get the challenge unless
it sends it
without auth the first time.
I just verified this in a basicauth protected area of my website. iCab gets it
right, waiting for the challenge on each hit. And yes, NS and IE both do it
wrong, sending an auth before being challenged. How sucky.
How do they know which realm to send up? Or do they just do the most recent
realm? That could be a security hole.
Ahh, RFC2617 agrees with both of us {grin}:
A client MAY preemptively send the
corresponding Authorization header with requests for resources in
that space without receipt of another challenge from the server.
Similarly, when a client sends a request to a proxy, it may reuse a
userid and password in the Proxy-Authorization header field without
receiving another challenge from the proxy server. See section 4 for
security considerations associated with Basic authentication.
Hmm. I did not know the preemptive auth send. Thanks for pointing that out to me.
-- Randal L. Schwartz, Perl hacker