Here's how a digest authentication transaction plays out:

• The client requests a URL from the server.
• The server checks the URL and sees that it's a protected file or directory. The server then sends the client an error 401 (Authentication Required) along with a nonce.
• The client combines the user's password and the nonce to create a hash, and then returns this to the server along with the requested URL and the hash method.
• The server receives the hash (remember, the server generated the nonce and knows what the number is), retrieves the user's password, and checks this password against an authentication file.

Before you can implement digest authentication under Apache, three elements must be in place: the mod_auth_digest module must be compiled either statically or dynamically into the program's code; a digest file containing user/realm/password must exist; and required directives must be added to httpd.conf.

A word of caution: the client's browser must support digest authentication, and not all vendors support (or support correctly) the MD5 method. Make sure you thoroughly test any digest authentication implementation, with a wide range of browsers, before implementing it on a production server.