I don't get why WebSession proposes to use authentication headers like WWW-Authenticate, when it calls out at the start that it's not a replacement for authentication protocols. If that's the case, surely it should just be using it's own headers to avoid confusion.
