If a user is not authenticated through authentication web form, BM
redirects him to the authentication web form.
How does BM determines whether the current http-request belongs to the

authenticated user or not?