"c" | "d" | "e" | "f"

   The values of the opaque and algorithm fields must be those supplied
   in the WWW-Authenticate response header for the entity being
   requested.

   response
     A string of 32 hex digits computed as defined below, which proves
     that the user knows a password

   username
     The user's name in the specified realm.






 
RFC 2617                  HTTP Authentication                  June 1999


   digest-uri
     The URI from Request-URI of the Request-Line; duplicated here
     because proxies are allowed to change the Request-Line in transit.

   qop
     Indicates what "quality of protection" the client has applied to
     the message. If present, its value MUST be one of the alternatives
     the server indicated it supports in the WWW-Authenticate header.
     These values affect the computation of the request-digest. Note
     that this is a single token, not a quoted list of alternatives as
     in WWW- Authenticate.  This directive is optional in order to
     preserve backward compatibility with a minimal implementation of
     RFC 2069 [6], but SHOULD be used if the server indicated that qop
     is supported by providing a qop directive in the WWW-Authenticate
     header field.

   cnonce
     This MUST be specified if a qop directive is sent (see above), and
     MUST NOT be specified if the server did not send a qop directive in
     the WWW-Authenticate header field.  The cnonce-value is an opaque
     quoted string value provided by the client and used by both client
     and server to avoid chosen plaintext attacks, to provide mutual
     authentication, and to provide some message integrity protection.
     See the descriptions below of the calculation of the response-
     digest and request-digest values.

   nonce-count
     This MUST be specified if a qop directive is sent (see above), and
     MUST NOT be specified if the server did not send a qop directive in
     the WWW-Authenticate header field.  The nc-value is the hexadecimal
     count of the number of requests (including the current request)
     that the client has sent with the nonce value in this request.  For
     example, in the first request sent in response to a given nonce
     value, the client sends "nc=00000001".  The purpose of this
     directive is to allow the server to detect request replays by
     maintaining its own copy of this count - if the same nc-value is
     seen twice, then the request is a replay.   See the description
     below of the construction of the request-digest value.

   auth-param
     This directive allows for future extensions. Any unrecognized
     directive MUST be ignored.

   If a directive or its value is improper, or required directives are
   missing, the proper response is 400 Bad Request. If the request-
   digest is invalid, then a login failure should be logged, since
   repeated login failures from a single client may indicate an attacker
   attempting to guess passwords.




 
RFC 2617                  HTTP Authentication                  June 1999


   The definition of request-digest above indicates the encoding for its
   value. The following definitions show how the value is computed.

3.2.2.1 Request-Digest

   If the "qop" value is "auth" or "auth-int":

      request-digest  = <"> < KD ( H(A1),     unq(nonce-value)
                                          ":" nc-value
                                          ":" unq(cnonce-value)
                                          ":" unq(qop-value)
                                          ":" H(A2)
                                  ) <">

   If the "qop" directive is not present (this construction is for
   compatibility with RFC 2069):

      request-digest  =
                 <"> < KD ( H(A1), unq(nonce-value) ":" H(A2) ) >
   <">

   See below for the definitions for A1 and A2.