@freddy You typically see this when IIS handles NTLM/Kerberos auth. Authentication is transparently handled on the (Windows) client so even if the session cookie is not sent (e.g. due to SameSite) with the original request, the request gets reauthenticated and (in most cases) the requested action will be performed at server-side.