I have a web api consumed by mobile apps. I can reproduce case with postman also with appropriate params.

Here are my postman call captured by fiddler:

GET http://localhost/WebApi/api/User/GetAnnouncement?id=22 HTTP/1.1
Content-Type: application/json
ApiKey: someKey
AuthenticationToken: someGuid1
UserId: 6524
DeviceId: someGuid2
LocalDate: 538294155.662561
OsTypeId: 1
LoginToken: someGuid3
CompanyId: 2
cache-control: no-cache
Postman-Token: b863afdd-b04c-4a4d-b473-69d5ecef622e
User-Agent: PostmanRuntime/7.4.0
Accept: */*
Host: localhost
cookie: ASP.NET_SessionId=nk4g3zzfyi0n3xomfw5dxxxx
accept-encoding: gzip, deflate
Connection: keep-alive

and my issue occurs in authorize action filter:

    public class BasicAuthorizeAttribute : FilterAttribute
    {

    }

    public class BasicAuthorizeFilter : AuthorizationFilterAttribute
    {
        public override void OnAuthorization(HttpActionContext actionContext)
        {
         //!!!HERE when I debug, in watch I can see already authHeader has value "in some calls"

System.Threading.Thread.SetData( System.Threading.Thread.GetNamedDataSlot("authHeader"), "someValueComingFromRequestHeader" );
        }
    }

At the very beginning of the OnAuthorization (see !!!HERE line in the code), I can see in watch this expression:

System.Threading.Thread.GetData(System.Threading.Thread.GetNamedDataSlot("authHeader"))

has the value even though I expect it is always null. It has even the value from previous client.

Actually issue come to as a bug "session" mingled (I mean mixed).

This pieces code is on the my company's framework so something is weirdly wrong. I can give as much as I can so far. Please ask any info necessary.

What could be the cause?

I am daring to ask this because it is possible the issue obvious may be.

Note: I have the same case while none debugging with two phones connected to my pc via proxy settings.