Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What HTTP code to use in "Not Authenticated" and "Not authorized" cases?

Tags:

language-agnostic

http

http-status-codes

I read that "401 Unauthorized" code must be used when a user:

  1. Is not logged, but login is required ("not authenticated");
  2. Is logged, but his profile don't allow to see that url ("not authorized");

According to RFC, in both cases server must return 401 code. But I need to differentiate then in my ajax requests.

Anybody have a tip to solve this?

Note: I don't want to use 403 Forbidden code, because in 403 "Authorization will not help", according to RFC.

like image 631
Topera Avatar asked May 24 '11 15:05

Topera

People also ask

What is the difference between HTTP 401 & 403?

401 Unauthorized is the status code to return when the client provides no credentials or invalid credentials. 403 Forbidden is the status code to return when a client has valid credentials but not enough privileges to perform an action on a resource.

What is a 402 error code?

The HTTP 402 Payment Required is a nonstandard response status code that is reserved for future use. This status code was created to enable digital cash or (micro) payment systems and would indicate that the requested content is not available until the client makes a payment.

What is the code in HTTP response that represents unauthorized?

The HyperText Transfer Protocol (HTTP) 401 Unauthorized response status code indicates that the client request has not been completed because it lacks valid authentication credentials for the requested resource.

What is the difference between 401 and 404 error?

The three status codes that felt the most appropriate are: 401 - Unauthorized. 403 - Forbidden. 404 - Not Found.

2 Answers

Unless you intend to use HTTP authentication, the correct response is 403 ("Forbidden").

A response code of 401 triggers the browser to display a password dialog box, and then resubmit the same request with a WWW-Authenticate header with the password data that the user supplied. That's probably not the behavior you want.

Don't get too hung up on the explanations in the RFCs -- what you really need to pay attention to are the browser and search engine side effects of the various response codes.

As for the "Authorization will not help" bit, in this case that is correct, since using HTTP authorization (which specifically means the WWW-Authenticate header), in fact, will not help.

A 403 response tells the browser that the user does not have permission to make that request, and the browser should not attempt to collect authentication data and resubmit the request. That's exactly the response you're after.

like image 125
tylerl Avatar answered Oct 01 '22 12:10

tylerl

I believe 403 is the right one. We may have to tune the language in the specification to make that clear.

like image 25
Julian Reschke Avatar answered Oct 01 '22 14:10

Julian Reschke
Sign in to Comment

Related questions

Writing a Python Music Streamer
Calling a web service using nodejs
Apache is not sending 304 response (if mod_deflate and AddOutputFilterByType is enabled)
Can I override the Host header where using java's HttpUrlConnection class?
ECONNREFUSED error with node.js that does not occur in other clients
Limiting/throttling the rate of HTTP requests in GRequests
Getting response of http request without content-length?
HTTP: Generating ETag Header
POST json to rails server
In which layer is HTTP in the OSI model?
How does one set global headers in axios?
determine if server supports resume get request
I get an Error 400: Bad Request on custom Heroku domain, but works fine on foo.herokuapp.com
Getting a HttpStatusCode of 0
Do web browsers always send a trailing slash after a domain name?
How to prevent Android from returning a cached response to my HTTP Request?
URL encoding in python
ASP.NET MVC - HTTP Authentication Prompt
How to use angular2 http API for tracking upload/download progress
What is the best way to check for empty request Body?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!