Hello, I have been studying mod_auth_digest to determine how it knows when when a browser has ended its session, thinking it sends metadata to tell the browser to prompt the user again for login/password at the beginning of a new session. I was interested in the behavior which I observed for different browsers where after shutdown and restart, user would be prompted to provide login info again. Even on some browsers which save sessions after shutdown e.g. Firefox and Safari would still prompt for login.
What I seem to have found is that the only metadata the server sends in regard to needing authorization is a 401, and thus have concluded it is the browser which determines the behavior of requiring re-entering login info. This seemed to be confirmed when I tried shutdown/restart on Chrome, and it did not require re-entering login info. So I believe that mod_auth_digest has no and uses no mechanism for tracking sessions, and always operates in a stateless context. In essence, for each request it checks the request header for proper login metadata, and if and only if it qualifies does it allow access, otherwise, it sends a 401. The policy on prompting and gathering of login info from the user is entirely up to the browser. Does this sound correct? Thanks, Allasso
