Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

401 Unauthorized vs 403 Forbidden: Which is the right status code for when the user has not logged in? [duplicate]

Tags:

http-status-code-403

http-status-codes

http-status-code-401

After lots of Googling and Stackoverflowing, it still isn't clear to me because many articles and questions/answers were too general (including 403 Forbidden vs 401 Unauthorized HTTP responses which was not specifically for my use-case).

Question: What's the proper HTTP Status Code when the user has not logged in and requests to see some pages that should be shown only to logged-in users?

like image 204
Mohammad Naji Avatar asked May 02 '18 21:05

Mohammad Naji

People also ask

What is the difference between 401 and 403 status code?

401 Unauthorized is the status code to return when the client provides no credentials or invalid credentials. 403 Forbidden is the status code to return when a client has valid credentials but not enough privileges to perform an action on a resource.

What is the status code for unauthorized?

The 401 (Unauthorized) status code indicates that the request has not been applied because it lacks valid authentication credentials for the target resource... The user agent MAY repeat the request with a new or replaced Authorization header field.

What does the HTTP status code 401 indicates forbidden?

The HyperText Transfer Protocol (HTTP) 401 Unauthorized response status code indicates that the client request has not been completed because it lacks valid authentication credentials for the requested resource.

Why is 401 unauthorized Not unauthenticated?

In summary, a 401 Unauthorized response should be used for missing or bad authentication, and a 403 Forbidden response should be used afterwards, when the user is authenticated but isn't authorized to perform the requested operation on the given resource.

1 Answers

The exact satisfying one-time-for-all answer I found is:

Short answer:

401 Unauthorized

Description:

While we know first is authentication (has the user logged-in or not?) and then we will go into authorization (does he have the needed privilege or not?), but here's the key that makes us mistake:

But isn’t “401 Unauthorized” about authorization, not authentication?

Back when the HTTP spec (RFC 2616) was written, the two words may not have been as widely understood to be distinct. It’s clear from the description and other supporting texts that 401 is about authentication.

From HTTP Status Codes 401 Unauthorized and 403 Forbidden for Authentication and Authorization (and OAuth).

So maybe, if we want to rewrite the standards! focusing enough on each words, we may refer to the following table:

Status Code | Old foggy naming | New clear naming | Use case +++++++++++ | ++++++++++++++++ | ++++++++++++++++ | ++++++++++++++++++++++++++++++++++ 401         | Unauthorized     | Unauthenticated  | User has not logged-in 403         | Forbidden        | Unauthorized     | User doesn't have enough privilege
like image 121
Mohammad Naji Avatar answered Sep 19 '22 11:09

Mohammad Naji
Sign in to Comment

Related questions

Return custom 403 error page with nginx
Node JS: Sendgrid Mail 403 'Forbidden' error
Usage of Bearer Tokens in https request
Nginx gives a 403 error for CSS/JS files
Firebase Crash Reporting error: client application com.xxxx are blocked
Always return a 404 when you decide to return a 403
Sinatra and Rack Protection setting
Set 403 error page in MVC
Google API returning Access Not Configured
Mutual certificates authentication fails with error 403.16
Access denied (403) for PHP files with Nginx + PHP-FPM
403 forbidden: permission to access images
Jquery POST giving 403 forbidden error in spring mvc
Instagram/feed API media URL shows 'URL signature expired'
Is there a way to force apache to return 404 instead of 403?
How can I throw a 403 exception in Symfony2?
Send a 404 error via htaccess?
Spring WebSocket Connecting with SockJS to a different domain
How do I return a 403 Forbidden in Spring MVC?
Access denied: 403 or 404?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!