Example of using AuthType Digest to authenticate a user once across sub-domains?

Most browsers do not respect the Digest "domain" directive and will not resend credentials for other URIs. As far as I know, Opera is the only browser that honors it.

For Opera, the server(s) must respond with the same "realm" string for each URI in the domain list. In other words, if domain="/test /example", the server needs to send "Test Realm - example.com" in the WWW-Authenticate header for both of those URIs. I assume Opera does this because it stores H(A1) instead of the actual password for security. Read into RFC2617 for more on this.

Here's my cross-browser solution to this problem: http://travisce.com/arest/

I have no experience with something like this myself. But I just took a look at the Apache documentation and found this:

The AuthDigestNonceLifetime directive controls how long the server nonce is valid. [...] If seconds is less than 0 then the nonce never expires.

So it seems to me that 0 seconds (the value you are using) is either illegal or really tells Apache to expire the nonce after 0 seconds which would exactly explain the behavior you are geting.

Could a wildcard on the AuthDigestDomain help?

    *.domain.com