Here is a patch for supporting MD5-sess, following RFC2617 specification.
Some comments/warnings:
* I've only tested the patch against IIS 6.0. I don't know about other servers supporting MD5-sess.
* IIS 6.0 expects the User Agent to send the URI (in the Authorization header) without the query string.
* This patch doesn't add support for Digest sessions. For each request we make, we get a new [401|407] message with a new nonce (depending if we're talking about a proxy with digest authentication or a web server). Then we generate another authenticated request using that nonce. For Digest sessions to be fully supported, we should be adding an [WWW|Proxy]-Authenticate header in each following request we made to the server using the last nonce. This includes both MD5-sess and MD5 digest implementations.
* A1 is being recalculated for every request. Given the above, this is not a real problem.
I'll open a new ticket regarding Digest sessions.