The Hypertext Transfer Protocol (HTTP) is one of the most important communications protocols in today's Internet. For example, HTTP is used to retrieve web pages and other data on the World Wide Web. There are two commonly used HTTP authentication modes. These HTTP authentication modes are connection-based authentication and request-based authentication.
When connection-based HTTP authentication is used, a client system sends a first HTTP request to a server system. The client system sends the first HTTP request to the server system using a Transmission Control Protocol (TCP) connection. The first HTTP request requests a resource, the resource being provided by the server system. If HTTP authentication is required, the server system uses the TCP connection to send a first HTTP rejection response back to the client system. The first HTTP rejection response indicates that the client system is not authorized to access the resource. In response to the HTTP rejection response, the client system generates an authorization header. The client system then generates a second HTTP request that requests a resource, the resource being provided by the server system. The second HTTP request includes an HTTP header that specifies the authorization header. After generating the second HTTP request, the client system uses the TCP connection to send the second HTTP request to the server system. Upon receiving the second HTTP request, the server system uses the authorization header in the second HTTP request to perform an authentication process. An authentication process is sequence of actions performed to authenticate a client system to a server system. If the authentication process is successful, the server system considers the TCP connection to be an authenticated connection. Furthermore, if the authentication process is successful, the server system sends a second HTTP response back to the client system. The second HTTP response contains the resource requested by the second HTTP request. The server system assumes that all subsequent HTTP requests received on the TCP connection are authentically from the client system. Consequently, when connection-based HTTP authentication is used, there is no need for the client system to include authorization headers in subsequent HTTP requests sent to the server system using the TCP connection.
When request-based HTTP authentication is used, a client system sends a first HTTP request to a server system. The client system may use a TCP connection to send the first HTTP request to the server system. The first HTTP request requests a resource, the resource being provided by the server system. If HTTP authentication is required, the server system uses the TCP connection to send a first HTTP rejection response back to the client system. The first HTTP rejection response indicates that the client system is not authorized to access the resource. In response to the HTTP rejection response, the client system generates an authorization header. The client system then generates a second HTTP request and uses the TCP connection to send the second HTTP request to the server system. The second HTTP request requests a resource, the resource being provided by the server system. The second HTTP request includes an HTTP header that specifies the authorization header. Upon receiving the second HTTP request, the server system performs an authentication process. If the authentication process is successful, the server system sends a second HTTP response back to the client system. The second HTTP response contains the resource requested by the second HTTP request. However, the server system does not assume that all subsequent HTTP requests on the TCP connection are authentically from the client system. Consequently, when request-based HTTP authentication is used, the client system must include an authorization header in each HTTP request sent to the server system on the TCP connection.
By default, many client systems are configured to use connection-based HTTP authentication. Such client systems send HTTP requests with authorization headers only when such client systems receive HTTP rejection responses. As mentioned above, when a server system is configured to use request-based HTTP authentication, the server system provides an HTTP response containing a requested resource only in response to an HTTP request containing an authorization header. Consequently, whenever the server system receives an HTTP request without an authorization header, the server system sends back an HTTP rejection response. As a result, whenever a client system configured to use connection-based HTTP authentication sends HTTP requests to a server system configured to use request-based HTTP authentication, the client system effectively sends two HTTP requests to the server system: a first HTTP request without an authorization header and a second HTTP request with an authorization header.