Password proected directories

First read the protocol on wikipedia or IETF, or else it is hard to understand.

The server is currently using protocol Digest access authentication for the password protection.
The server does not use the sended URI to calculate a correct responce but takes the file (URL afther GET or POST), this had been done becease of security reason that they can ask every file by only changing the filename and not the uri.

Example
The follolw example shows what can happend if the server should use URI instead of the URL.
You are sending the follow request and a hacker spots this request :

GET /dir/index.html HTTP/1.0
Host: localhost
Authorization: Digest username="Mufasa", realm="testrealm@host.com", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", uri="/dir/index.html", qop=auth, nc=00000001, cnonce="0a4f113b", response="6629fae49393a05397450978507c4ef1"

The hacker will be able to resend this request and only change GET /dir/index.html HTTP/1.0 to any page, this is unable becease this server uses the URL.

Why is it not compatible with ie6 and older?

It work correctly if you ask a page without a querystring, but if it has a querystring it fails and ask for you're password over and over again on ie6 and older.
This becease ie 5 and 6 only uses the page to calculate a responce and leaves everything behind the querequote, this beheaver has been changed in ie7.
Example: if the request page is test.htm?hello=10 ie5 and 6 will only use test.htm to calculate the responce, while ie7 use test.htm?hello=10.
That's why only ie7 (or higher) is supported, and of course the other browsers called in system requirements.

More secure options

- The nonce code will be refreshed every 2 minutes afther last sucsessfull login
- The nonce code will be refreshed afther a logout on the settings-pages
- There are 2 different nonce codes, one for the settings pages and one for the password directory protection