Should a failed login attempt result in a HTTP 401 response? Doesn't seem like all the major sites do this.
401 is the proper response code to send when a failed login has happened. 401 Unauthorized Similar to 403 Forbidden, but specifically for use when authentication is required and has failed or has not yet been provided.
The HyperText Transfer Protocol (HTTP) 401 Unauthorized response status code indicates that the client request has not been completed because it lacks valid authentication credentials for the requested resource.
In this guide, we've gone over five methods to solve the 401 Unauthorized Error code: Confirm the URL is correct – double-check the URL in case it's misspelled or outdated. Clear user end issues – clear the browser's cache and cookies for a possible solution. If that fails, try flushing your DNS cache.
401: “Unauthorized” or “Authorization Required.” This is returned by the server when the target resource lacks valid authentication credentials. You might see this if you've set up basic HTTP authentication using htpasswd.
I think it depends on the type of authentication in use.
If you look at the same source that @Jan Vorcak cited (RFC 2616), it says that the 401 response "MUST include a WWW-Authenticate header field (section 14.47) containing a challenge applicable to the requested resource." That refers (as has been posted since I started typing this answer) to the HTTP authentication schemes based on RFC 2617. Few sites intended for the general public use seem to use these authentication methods anymore. So, since the WWW-Authenticate header is meaningless, it should not be included, which means that returning a 401 error violates RFC 2616.
So, in most cases, I think the answer is "no."
Only if your site uses HTTP-code based authentication schemes like the basic authentication or digest authentication.
http://en.wikipedia.org/wiki/Basic_access_authentication
http://en.wikipedia.org/wiki/Digest_access_authentication
There are other obvious alternatives, like relying on custom cookies and using 302 to redirect to a login page. The 302-based authentication schemes are probably used most often.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With