I am implementing a simple registation/login module.
While testing user credentials, I start thinking which HTTP status code will be appropriate, for the situation if a user send a request with incorrect credentials.
At first, I thought 401 Unauthorized would be a nice status code, but it seems it will be better to use it when a user is trying to get some resource without authorisation.
After, I switched to 409 Conflict
This code is only allowed in situations where it is expected that the user might be able to resolve the conflict and resubmit the request.
So, friends, please give me an advise, which status code should be used.
The HyperText Transfer Protocol (HTTP) 401 Unauthorized response status code indicates that the client request has not been completed because it lacks valid authentication credentials for the requested resource.
401: “Unauthorized” or “Authorization Required.” This is returned by the server when the target resource lacks valid authentication credentials. You might see this if you've set up basic HTTP authentication using htpasswd.
What Is a 201 Status Code? The request has been fulfilled and has resulted in one or more new resources being created. The primary resource created by the request is identified by either a Location header field in the response or, if no Location field is received, by the effective request URI.
401 is the proper response code to send when a failed login has happened. 401 Unauthorized Similar to 403 Forbidden, but specifically for use when authentication is required and has failed or has not yet been provided.
If you use HTTP authentication as defined by RFC 7235, 401 would be correct (for missing or incorrect credentials).
Otherwise, use 403.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With