Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

HTTP status code for missing authentication

Tags:

HTTP defines the status 401 Unauthorized for missing authentication, but this status only applies to HTTP authentication. What status should I return with a session cookie based system, when an unauthorized request happens?

like image 200
deamon Avatar asked Nov 29 '10 08:11

deamon

People also ask

What is meaning of HTTP status code 401 & 403?

401 Unauthorized is the status code to return when the client provides no credentials or invalid credentials. 403 Forbidden is the status code to return when a client has valid credentials but not enough privileges to perform an action on a resource.

What is a 402 error code?

The HTTP 402 Payment Required is a nonstandard response status code that is reserved for future use. This status code was created to enable digital cash or (micro) payment systems and would indicate that the requested content is not available until the client makes a payment.

What is 4xx status code?

The 4xx class of status code is intended for cases in which the client seems to have erred. Except when responding to a HEAD request, the server SHOULD include an entity containing an explanation of the error situation, and whether it is a temporary or permanent condition.

What is the status code for unauthorized?

The 401 (Unauthorized) status code indicates that the request has not been applied because it lacks valid authentication credentials for the target resource... The user agent MAY repeat the request with a new or replaced Authorization header field.

2 Answers

Formally, 403 Forbidden is the right response. It's defined as

Authorization will not help and the request SHOULD NOT be repeated.

The confusing part may be "Authorization will not help", but they really mean "HTTP authentication" (WWW-Authenticate)

like image 95
Martin v. Löwis Avatar answered Oct 03 '22 18:10

Martin v. Löwis

403 I believe is technically correct (and probably most effective if you are implementing a custom API / protocol).

401 is not appropriate as it refers to authorization with a WWW-Authenticate header, which a session cookie is not.

If this is a public facing website where you are trying to deny access based on a session cookie, 200 with an appropriate body to indicate that log in is needed or a 302 temporary redirect to a log in page is often best.

like image 24
userx Avatar answered Oct 03 '22 16:10

userx
Sign in to Comment

Related questions

Interchange structured data between Haskell and C
Can I memoize a Python generator?
Populating a DataGridView with Text and ProgressBars
What does the cryptic GC cache entry mean
Which edition of Java is being used in Android J2ME or Java SE?
Is there an advanced CSS minifier/compiler that does things like strip redundancy and comma separate identical rules?
Django: How to make a form with custom templating?
Horizontal Centering of Multi-Line List Items in Unordered List
Private Set or Private member?
Web.Config, external file for system.serviceModel
Multi Level Bash Completion
Is there a shortcut in Eclipse for generating code for decorators?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!