Why “Content-Length: 0” in POST requests?

Question

A customer sometimes sends POST requests with Content-Length: 0 when submitting a form (10 to over 40 fields).

We tested it with different browsers and

Answer 1

We had a customer using same website in anonymous and NTLM mode (on different ports). We found out that in our case the 401 was related to Riverbed Steelhead application used for http optimization. The first signal pointing us into that direction was a X-RBT-Optimized-By header. The issue was the Gratuitous 401 feature:

This feature can be used with both per-request and per-connection authentication but it‘s most effective when used with per-request authentication. With per-request authentication, every request must be authenticated against the server before the server would serve the object to the client. However, most browsers do not cache the server‘s response requiring authentication and hence it will waste one round-trip for every GET request. With Gratuitous 401, the client-side Steelhead appliance will cache the server response and when the client sends the GET request without any authentication headers, it will locally respond with a ―401 Unauthorized‖ message and therefore saving a round trip. Note that the HTTP module does not participate in the actual authentication itself. What the HTTP module does is to inform the client that the server requires authentication without requiring it to waste one round trip.