Dive into “PreAuthenticate”

Based on the definition of “PreAuthenticate” of System.Net in MSDN, https://msdn2.microsoft.com/en-gb/library/system.net.httpwebrequest.preauthenticate.aspx

“After a client request to a specific Uri is successfully authenticated, if PreAuthenticate is true and credentials are supplied, the WWW-authenticate header is sent with each request to that Uri; otherwise, the request uses standard authentication procedures.

With the exception of the first request, the PreAuthenticate property indicates whether to send authentication information with subsequent requests to the specific Uri without waiting to be challenged by the server.”

The example is shown as below:

PreAuthenticate is false :

1. Client: GET someUrl

Server: 401 WWW-Authenticate Basic

Client: GET with Authorization headers

Server: 200 OK

2. Client: GET someUrl

Server: 401 WWW-Authenticate Basic

Client: GET with Authorization headers

Server: 200 OK

PreAuthenticate is true :

1. Client: GET someUrl

Server: 401 WWW-Authenticate Basic

Client: GET with Authorization headers

2. Server: 200 OK

Client: GET someUrl with Authorization headers

So, if the authentication scheme supports pre-authenticate, for instance, see RFC 2617 – Digest Access Authentication, we will save (n – 1) round trips. We cannot simply avoid the first one because the initial nonce should be sent from server side.

The secret behind the curtain is “Nc” in HTTP AuthData. “For subsequent requests, “Nc” maintained by client must be greater than the last value it used and nonce of server got from the first HTTP 401 response, will be reused.