Do the auth stuff at the end-of-headers and not at the start-of-body, as

we might not get a body when we get a 401 with a set of WWW-Authenticate:
headers. This fixes the problem Kevin Roth detected in 7.10.8-pre4 and pre5.
Verified by test case 91.