DSAPI problem in R6

We have developed a DSAPI filter for R5. However the behaviour is not
good in R6.
Problem 1:
A user hits a protected page. The user is prompted for a username and
password.
In case the user enters a wrong password the filter specifies
authData->authType=kNotAuthentic and return kFilterHandledEvent.
In R5 the user is prompted a second time for a username and password.
Then a third time and then some error page is displayed

However in R6 the user is NOT prompted a second time for a username
and password. A "page not found" error is displayed in the browser

Problem 2:
R5 behaviour: after three attempts the user get the "invalid user/pwd"
screen. The URL in the address bar is still the original URL. The user
could refresh the page and gets another three tries
R6 behaviour: the address bar contains the original URL. The user
refreshes the page. The DSAPI is called with the old username and
password. The user is not prompted for a username and password. The
only solution for the user is to close the browser

The problem appears in 601 and 602.
The setting of CheckCacheBeforeDSAPI has no influence
It happens with standard and session based authentication

We are really blocked.

Thanks in advance for any help