Yes the browser sends the proxy authentication info to the ANS
InterLock proxy on every connection. It is passed in the MIME header
like the normal authentication info but with a different name
"Proxy-Authorization" vice "Authorization". That line is consumed at
the proxy and the rest of the message gets passed to the destination if
proxy authentication information is valid and all other conditions are
met. The normal authentication information gets passed along so the user
can access pages that also require authentication.
The "challenge" consists of sending the error code 407 instead of
401 to the client if the authentication information is required but absent.
This mechanism wandered in and out of the various HTTP 1.0 drafts
but was included in the last HTTP 1.1 draft I looked at. To the best of
my knowledge, Netscape is the only client that supports it currently
although I occasionally get calls from client vendors asking about it.