3.2.5 Message Processing Events and Sequencing Rules
The Authorization header is only sent by the client. For more information, see [RFC2616] section 14.8.
The Persistent-Auth header is a hint from the HTTP server to the HTTP client. The Persistent-Auth header is only valid when sent with the final response from the server after authentication has completed, and in all other cases it MUST be ignored. After the client has completed authentication with the server it SHOULD process the Persistent-Auth header.
If the persistent-auth-token is set to "true", then the client SHOULD set persistent-auth-value to 1 for the current connection.
If the persistent-auth-token is set to "false", then the client SHOULD set persistent-auth-value to 0 for the current connection.
If the persistent-auth-token is set to any value other than "true" or "false", then the Persistent-Auth header MUST be ignored.
When the Persistent-Auth header is not present and the authentication has completed, then the client SHOULD set persistent-auth-value to 1 if the underlying authentication protocol is NTLM.
When the client sends a request on a connection, then the client SHOULD use the value of persistent-auth-value to determine when to authenticate.
When persistent-auth-value is 1, then authentication SHOULD NOT be performed.
When persistent-auth-value is 0, then authentication SHOULD be performed whenever permitted under the conditions specified by [RFC2617] and [RFC4559].
When the client receives a "401" status code in the response, it MUST set persistent-auth-value to 0.
All other messages are handled by the client as specified in [RFC2616].