The digest auth implementation using algo=MD5-sess is broken.
It seems that someone just integrated the "sample implementation" that can
be found in rfc 2617 without having read section 3.2.2.2:
====
If the "algorithm" directive's value is "MD5-sess", then A1 is
calculated only once - on the first request by the client following
receipt of a WWW-Authenticate challenge from the server. It uses the
server nonce from that challenge, and the first client nonce value to
construct A1 as follows:
A1 = H( unq(username-value) ":" unq(realm-value) ":" passwd ) ":" unq(nonce-value) ":" unq(cnonce-value)
This creates a 'session key' for the authentication of subsequent
requests and responses which is different for each "authentication
session", thus limiting the amount of material hashed with any one
key.
===
That means that the server MUST retain the initial value of HA1 over
the complete session and MUST NOT recalculate HA1 with every subsequent
cnonce issued by the client.
However, most browsers of today (but not all!) did the same malimplementation,
so it is advisable to retain the broken recalculation of HA1 as a last
resort for broken client implementations.
IMHO the best thing for lighttpd would simply be NOT to support MD5-sess,
because supporting it would introduce the need for some sort of session
handling.
