<ol>
<li>Client makes request
</li>
<li>Client gets back a nonce from the server and a 401 authentication request
</li>
<li>Client sends back the following response array (username, realm, generate_md5_key(nonce, username, realm, URI, password_given_by_user_to_browser)) (yea, that's very simplified)
</li>
<li>The server takes username and realm (plus it knows the URI the client is requesting) and it looks up the password for that username. Then it goes and does its own version of generate_md5_key(nonce, username, realm, URI, password_I_have_for_this_user_in_my_db)
</li>
<li>It compares the output of generate_md5() that it got with the one the client sent, if they match the client sent the correct password. If they don't match the password sent was wrong.
</li>
</ol>

1. Client makes request
    
2. Client gets back a nonce from the server and a 401 authentication request
    
3. Client sends back the following response array (username, realm, generate\_md5\_key(nonce, username, realm, URI, password\_given\_by\_user\_to\_browser)) (yea, that's very simplified)
    
4. The server takes username and realm (plus it knows the URI the client is requesting) and it looks up the password for that username. Then it goes and does its own version of generate\_md5\_key(nonce, username, realm, URI, password\_I\_have\_for\_this\_user\_in\_my\_db)
    
5. It compares the output of generate\_md5() that it got with the one the client sent, if they match the client sent the correct password. If they don't match the password sent was wrong.

How does http-digest authentication works