I've recently started working at a WAP content provider. Normally we get the MSISDN set in the HTTP headers of requests via the WAP gateways of the operators we have relationships with. However, with some later phones, we only get seem to get the MSISDN with non-SSL connections, when they switch to SSL we the MSISDN is no longer set in the headers. With older phones we do get this.
Our current theory is that the newer phones (e.g. Nokia 6600) are using TLS rather than WTLS to secure the connection between the phone and the WAP gateway, in which case the SSL encryption happens end-to-end, phone to our web server. In this case it seems like the operator won't be able to insert the MSISDN header.
So I have several questions. First, does this theory seem right? I would assume it would be a fairly well known situation if so. And if it is true, is it generally accepted that identifying and authenticating users by MSISDN is not possible with newer phones and SSL connections? Are there any workarounds or alternatives?