HTTP response code when not logged in

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

HTTP response code when not logged in

Marian Meres-2
Hello everyone,

what kind of HTTP response codes would you suggest using when
accessing a page which requires user to be logged in and there is no
current identity present?

Initially I thought about "401 Unauthorized", but the definition says:
"The response MUST include a WWW-Authenticate header field containing
a challenge applicable to the requested resource" where I'm not sure I
know what that means...

I also thought about "403 Forbidden", but again from the definition:
"Authorization will not help and the request SHOULD NOT be repeated"
does not look like a good choice.

Or forget it and stick with good old "200 OK"?

Thanks,
M.
Reply | Threaded
Open this post in threaded view
|

Re: HTTP response code when not logged in

Peter Warnock-2
Do capture the request uri, do a 301 redirect to the login page, authenticate, and redirect back to the request uri.

A 401 is used to present an HTTP Auth dialog.  It's more useful for REST APIs and the like that have login credentials sent with the request.

- pw

On Fri, Mar 19, 2010 at 12:45 AM, Marian Meres <[hidden email]> wrote:
Hello everyone,

what kind of HTTP response codes would you suggest using when
accessing a page which requires user to be logged in and there is no
current identity present?

Initially I thought about "401 Unauthorized", but the definition says:
"The response MUST include a WWW-Authenticate header field containing
a challenge applicable to the requested resource" where I'm not sure I
know what that means...

I also thought about "403 Forbidden", but again from the definition:
"Authorization will not help and the request SHOULD NOT be repeated"
does not look like a good choice.

Or forget it and stick with good old "200 OK"?

Thanks,
M.


Reply | Threaded
Open this post in threaded view
|

Re: HTTP response code when not logged in

Marian Meres-2
Thing is, the app I'm working on does not redirect, but internally
_forwards to login controller. It could be refactored, no question,
but would that be the only option?

Thanks.
M.

On Fri, Mar 19, 2010 at 8:51 AM, Peter Warnock <[hidden email]> wrote:

> Do capture the request uri, do a 301 redirect to the login page,
> authenticate, and redirect back to the request uri.
>
> A 401 is used to present an HTTP Auth dialog.  It's more useful for REST
> APIs and the like that have login credentials sent with the request.
>
> - pw
>
> On Fri, Mar 19, 2010 at 12:45 AM, Marian Meres <[hidden email]>
> wrote:
>>
>> Hello everyone,
>>
>> what kind of HTTP response codes would you suggest using when
>> accessing a page which requires user to be logged in and there is no
>> current identity present?
>>
>> Initially I thought about "401 Unauthorized", but the definition says:
>> "The response MUST include a WWW-Authenticate header field containing
>> a challenge applicable to the requested resource" where I'm not sure I
>> know what that means...
>>
>> I also thought about "403 Forbidden", but again from the definition:
>> "Authorization will not help and the request SHOULD NOT be repeated"
>> does not look like a good choice.
>>
>> Or forget it and stick with good old "200 OK"?
>>
>> Thanks,
>> M.
>>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: HTTP response code when not logged in

Peter Warnock-2
 
On Fri, Mar 19, 2010 at 7:46 AM, Matthew Weier O'Phinney <[hidden email]> wrote:

I've used a 401 error code quite a number of times, and consider it
perfectly valid. While the spec indicates the WWW-Authenticate header is
required, I have yet to see a browser that acts on it, nor can I think
of any apps off hand that actually use it; I certainly haven't seen any
negative side-effects from not supplying it.

So, based on that anecdotal evidence... I'd go ahead and use it.

On Fri, Mar 19, 2010 at 1:16 AM, Marian Meres <[hidden email]> wrote:
Thing is, the app I'm working on does not redirect, but internally
_forwards to login controller. It could be refactored, no question,
but would that be the only option?

Thanks.
M.

I don't think a refactor is necessary. Like Matthew said, just throw the 401. The spec is most applicable to working with an HTTP client like curl that anticipates the Auth dialog so that it can respond with credentials.

- pw