Are there any standards for using HTTP headers for login success / fail responses?
HTTP response status codes indicate whether a specific HTTP request has been successfully completed. Responses are grouped in five classes: Informational responses ( 100 – 199 ) Successful responses ( 200 – 299 )
401 is the proper response code to send when a failed login has happened. 401 Unauthorized Similar to 403 Forbidden, but specifically for use when authentication is required and has failed or has not yet been provided.
For a PUT/POST request, the response will include the resource that contains the result of the action. Status Code 201 – This is the status code that confirms that the request was successful and, as a result, a new resource was created.
2xx Status Codes [Success] Indicates that the request has succeeded. Indicates that the request has succeeded and a new resource has been created as a result. Indicates that the request has been received but not completed yet. It is typically used in log running requests and batch processing.
The header that the server sends is either the 200 OK or 401 denied status codes on success or failure.
See http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html Section 10.4.2 401 Unauthorized for this.
When sending the 401, the server must send a
WWW-Authenticate = "WWW-Authenticate" ":" 1#challenge
to indicate what scheme should be used to authenticate.
See http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html Section 14.47 WWW-Authenticate for this.
It depends on what you mean by 'login' and perhaps also on how the login/logout/authorization is handled by the server.
Usually, the expression 'to log in' is related to sessions. One 'logs in', does what needs to be done, and then 'logs out'. The server either stores the session information and sends the session ID in a cooki to the client, who then sends the cookie back to inform the server that a session is going on. Within the session variables can change and their state is persistent between calls from the client.
Intuitively, it sounds natural that there should be a kind of response 'Authorized' when you start a session, together with response 'Unauthorized (401)'.
However, HTTP is a state-less protocol. It does not know about states, only about whether the request is authorized or not. That is why there is the status 401 but no specific 'authorized' status code (since if a request is not unauthorized it is implicitly authorized).
In order to have the feeling of working on a session at the HTTP level (without using a construction like PHP's session_start()) the authorization credentials have to be sent with every request. This is what happens when one uses the .htaccess file to protect a folder, for example. After providing to the password dialog the user name and password, these are subsequently sent every time there is an access within the authorization realm. There is an illusion of a 'session' going on but in reality the username and password are sent at every request.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With