What does mean "authorization will not help" in the HTTP spec for error 403?

Question

The HTTP 1.1 spec says:

10.4.4 403 Forbidden

The server understood the request, but is refusing to fulfill it.
Authorization will not help and the request SHOULD NOT be repeated. [...]

Does this mean only "basic authorization", as in WWW-Authenticate: Basic? Should a 403 ever be issued for resources where some other user could potentially access the denied resource through means other than basic HTTP authentication (for example through his session cookie, OpenID, etc.)?

I'm asking this since HTTP 401 says that...

the response MUST include a WWW-Authenticate header field

...and I'm not sure if I should actually add a header like WWW-Authenticate: Custom.

Many people seem to use 403, even in cases where a simple cookie could have made the resource available. Are they all wrong?

Answer 1

I believe you are right that 403 should be used when the request will be denied, regardless of authorization. An example usage would be to prevent directory browsing, as described here:

http://www.checkupdown.com/status/E403.html

It is certainly possible that people are using it incorrectly where 401 should be used instead.

The differences between 401 and 403 are also discussed in this other SO question, where the consensus is that 401 is for authentication errors, and 403 is for authorization errors.

The issue of authentication versus authorization can be slightly confusing, particurlarly when the spec says:

10.4.2 401 Unauthorized

The request requires user authentication.

I think the key distinction is:

• 401 means you are not authorized because you don't have the right authentication
• 403 means you are not authorized regardless of authentication.