Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Should a failed login attempt result in a http 401 response

Tags:

authentication

http-status-code-401

Should a failed login attempt result in a HTTP 401 response? Doesn't seem like all the major sites do this.

like image 790
kenwarner Avatar asked Nov 25 '11 20:11

kenwarner

People also ask

What HTTP status code failed login?

401 is the proper response code to send when a failed login has happened. 401 Unauthorized Similar to 403 Forbidden, but specifically for use when authentication is required and has failed or has not yet been provided.

What does the HTTP status code 401 indicate?

The HyperText Transfer Protocol (HTTP) 401 Unauthorized response status code indicates that the client request has not been completed because it lacks valid authentication credentials for the requested resource.

How do I check my 401 error?

In this guide, we've gone over five methods to solve the 401 Unauthorized Error code: Confirm the URL is correct – double-check the URL in case it's misspelled or outdated. Clear user end issues – clear the browser's cache and cookies for a possible solution. If that fails, try flushing your DNS cache.

Which HTTP status code is usually returned when a user provide incorrect credentials?

401: “Unauthorized” or “Authorization Required.” This is returned by the server when the target resource lacks valid authentication credentials. You might see this if you've set up basic HTTP authentication using htpasswd.

2 Answers

I think it depends on the type of authentication in use.

If you look at the same source that @Jan Vorcak cited (RFC 2616), it says that the 401 response "MUST include a WWW-Authenticate header field (section 14.47) containing a challenge applicable to the requested resource." That refers (as has been posted since I started typing this answer) to the HTTP authentication schemes based on RFC 2617. Few sites intended for the general public use seem to use these authentication methods anymore. So, since the WWW-Authenticate header is meaningless, it should not be included, which means that returning a 401 error violates RFC 2616.

So, in most cases, I think the answer is "no."

like image 126
Andrew Avatar answered Oct 13 '22 23:10

Andrew

Only if your site uses HTTP-code based authentication schemes like the basic authentication or digest authentication.

http://en.wikipedia.org/wiki/Basic_access_authentication

http://en.wikipedia.org/wiki/Digest_access_authentication

There are other obvious alternatives, like relying on custom cookies and using 302 to redirect to a login page. The 302-based authentication schemes are probably used most often.

like image 33
Wiktor Zychla Avatar answered Oct 13 '22 22:10

Wiktor Zychla
Sign in to Comment

Related questions

Google Sign in for Android - Release vs Debug
Handling firebase authentication without internet connection (Android)
Authentication for Spark standalone cluster
Possible to consume AAD authenticated Azure functions from Power Bi and Power Apps?
Google Authentication ASP.NET Core Web Api
Azure SQL: Create login user only if not exists
How to persist Auth0 login status in browser for React SPA
How to save JWT Token in Vuex with Nuxt Auth Module?
Telegram bot API is the chat_id unique for each user contacting the bot?
Authentication Required for everything I do in Ubuntu 19.10
When should I override the configure(AuthenticationManagerBuilder auth) from Spring Security in a Spring Boot app?
Skip SignIn page with next-auth.js to go directly to provider
WCF, Security and Certificates
Does JBoss cache authentication information?
Switching authentication approaches at runtime with Spring Security?
Spring Security RememberMe Services with Session Cookie
Is it possible to enable HTTP basic authentication in Internet Explorer?
SQL CREATE TABLE Error
Is Spring the right choice for me?
Django development server smart card authentication

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!