Appendix K – Digest Authentication

Digest Authentication is a security mechanism that allows a client application to authenticate itself to the server by sending a message digest along with its HTTP request. The digest is generated by applying a one-way hash algorithm to a combination of the HTTP request message and the client’s password.

A typical digest authentication process includes the following steps:

Step 1:

The client sends an initial request that requires authentication but does not include a username or password.

Step 2:

The server responds with a 401 Unauthorized status code and provides an authentication realm along with a nonce (a randomly generated, single-use value).

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Digest realm="MLS.IDX.API",
nonce="NjM0NjkxNDY3NDU3NzYuNDo3YWNiNjk3NjIzNmY2MWU2ZmY2ZGRlZWRlMWFiYmVhNw==",
qop="auth"

This response indicates that authentication is required. The server includes a realm (identifying the authentication scope) and a nonce (a unique, single-use value) that the client must use when generating the digest for the next request.

Step 3 – Client Authorization Request
The client then makes another request, this time including an Authorization header containing the digest credentials.

Authorization: Digest
username="11UUctLDhfS8hkqpuhkgfhrB",
realm="MLS.IDX.API",
nonce="NjM0NjkxNDY3NDU3NzYuNDo3YWNiNjk3NjIzNmY2MWU2ZmY2ZGRlZWRlMWFiYmVhNw==",
uri="/Login.svc/Login",
cnonce="5ee95aeee8c10a3e780da1455e33a2f3",
nc=00000001,
response="a5621bb7658b8936808db14d5ac02862",
qop="auth"

This header allows the client to securely prove its identity using the server-provided nonce and its own credentials, without sending the password in plain text.

Step 4 – Server Response and Session Establishment
If the authentication is successful, the server processes the request and returns a session ID cookie as part of the response. This session ID must be included in subsequent requests to maintain the authenticated session.

Example response:

HTTP/1.1 200 OK
Set-Cookie: X-SESSIONID=c838d36c-506e-4595-9697-3f7a6ae6e08d;
expires=Fri, 04-May-2012 14:36:34 GMT;
path=/

The X-SESSIONID value uniquely identifies the session and is required for all future authenticated requests until logout or session expiration.

Step 5 – Invalid Credentials
If the provided username or password is incorrect, the server responds with a 401 Unauthorized status code and issues a new nonce value. The client must then retry the authentication process using the updated nonce.
Example response:

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Digest realm="MLS.IDX.API",
nonce="NjM0NjkxNDY3NDU3NzYuNDo3YWNiNjk3NjIzNmY2MWU2ZmY2ZGRlZWRlMWFiYmVhNw==",
qop="auth"

This ensures that authentication remains secure and that nonce values are used only once per authentication attempt.

SHARE POST:

Facebook
Reddit
LinkedIn

Appendix L – Reply Codes

16 October 2025

Transaction ReplyCode Meaning LoginMetadataSearchGetObjectLogout 0 Operation successful Login 20022 Additional login not permittedThere is already a user logged in with this user name, and this

Read More »

Appendix I – Website Payload

6 October 2025

Parent Cardinality Name Type Description Lookup Websites 1..* Website String The website of the organization Website 1 ContactType String (Attribute) The type of contact (Business,

Read More »