An educated guess (Timur Fanshteyn): WinInet and WinHTTP HTTPS Sessions send empty Authentication header

This issue I've seen a while back, and had a pleasure of seeing again today.

HTTP uses Authentication: header to pass authentication information during authentication. The information can be easily decoded to retrieve UserId and password for Basic authentication. Authentication header is Base64 encoded and NOT encrypted. (That's a good reason for NOT using basic authentication without SSL). The handshake is as follows:

Client submits a request without authentication header
Server responds with 401 and a WWW-Authenticate header that specifies allowed authentication schemes
Client resends the original request and provides Authentication header that includes authentication credentials.

Usual code on the server is -

If Not Authenticated
If Authentication header does not exists or empty,
return 401
Else
authorize

Decode Authenticated header to retrieve UserId for ......

What I've seen is that once the connection is established, the server considers the client authenticated, but the client (WinInet, WinHTTP, etc) might pass an empty authentication header. That means that if the code above will skip authentication, however, will not be able to retrieve the UserId. I wasn't able to find a lot of documentation on this, Actually only one good link: http://www1.tools.ietf.org/html/draft-johansson-http-gss-00. There are two ways that we were able to solve the problem. The easy way:

If Authentication header does not exists or empty,
return 401
Else
If Not Authenticated
authorize

Decode Authenticated header to retrieve UserId for ......

And the more complicated way: