"HTTP authentication uses the same basic protocols for
HTTP web servers and HTTP proxy servers. These protocols have two
authentication modes: basic and digest mode. In basic mode, the
client passes the user name and the password to the server as a
single base64-encoded block. In digest mode, the server encodes the
password with a different key in a unidirectional function and the
client decodes the function using the password, then returns the
key. This proves that the client knows the password, without
actually transmitting the password at any point.
To the server (web or proxy), HTTP authentication is stateless.
To most clients, it is not -- within a given session, most clients
retain user name/password pairs for host names and paths (more
accurately, for HTTP realms) that have previously requested
If the client already has a user name/password pair for a URL,
it sends them the page request. If the client does not send the
authentication data with a request for a page that requires
authentication, the server sends an authentication challenge before
sending the page. The client receives the challenge and asks the
user for the user name/password pair to send."