HTTP response code when not logged in

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

HTTP response code when not logged in

Marian Meres-2
Hello everyone,

what kind of HTTP response codes would you suggest using when
accessing a page which requires user to be logged in and there is no
current identity present?

Initially I thought about "401 Unauthorized", but the definition says:
"The response MUST include a WWW-Authenticate header field containing
a challenge applicable to the requested resource" where I'm not sure I
know what that means...

I also thought about "403 Forbidden", but again from the definition:
"Authorization will not help and the request SHOULD NOT be repeated"
does not look like a good choice.

Or forget it and stick with good old "200 OK"?

Thanks,
M.
Reply | Threaded
Open this post in threaded view
|

Re: HTTP response code when not logged in

weierophinney
Administrator
-- Marian Meres <[hidden email]> wrote
(on Friday, 19 March 2010, 08:43 AM +0100):
> what kind of HTTP response codes would you suggest using when
> accessing a page which requires user to be logged in and there is no
> current identity present?
>
> Initially I thought about "401 Unauthorized", but the definition says:
> "The response MUST include a WWW-Authenticate header field containing
> a challenge applicable to the requested resource" where I'm not sure I
> know what that means...

I've used a 401 error code quite a number of times, and consider it
perfectly valid. While the spec indicates the WWW-Authenticate header is
required, I have yet to see a browser that acts on it, nor can I think
of any apps off hand that actually use it; I certainly haven't seen any
negative side-effects from not supplying it.

So, based on that anecdotal evidence... I'd go ahead and use it.

> I also thought about "403 Forbidden", but again from the definition:
> "Authorization will not help and the request SHOULD NOT be repeated"
> does not look like a good choice.
>
> Or forget it and stick with good old "200 OK"?

--
Matthew Weier O'Phinney
Project Lead            | [hidden email]
Zend Framework          | http://framework.zend.com/
PGP key: http://framework.zend.com/zf-matthew-pgp-key.asc