I'm developing a security framework and writing unit tests for it. I have found a difference between all browsers and httpunit; when the digest authentication is used, my framework places the nonce value in the session and returns the authenticate response. This response also includes the jsessionid cookie generated by Tomcat / Jetty, etc.
Upon submit of the username and password by the browsers, the session is restored and I can compare values. However HttpUnit does not accept the jsessionid cookie. So upon submit of the username and password a new session is created which does not have the nonce value and authentication fails.
My framework runs perfectly on all browser, but fails to unittest with httpunit.
Why is HttpUnit's behavior different from all browsers?