3.1.5 Message Processing Events and Sequencing Rules
The Protocol Discovery request MUST be sent by the protocol client (for details, see section 2.2.1). The X-FORMS_BASED_AUTH_REQUIRED header and the X-FORMS_BASED_AUTH_RETURN_URL header SHOULD<5> be returned by the protocol server (for details, see section 2.2.2). Clients and servers MUST be compliant with HTTP/1.1 ([RFC2616]), HTTP Authentication ([RFC2617]), and the HTTP State Management Mechanism ([RFC2109]).