HTTP status code for missing authentication
Solution 1
Formally, 403 Forbidden is the right response. It's defined as
Authorization will not help and the request SHOULD NOT be repeated.
The confusing part may be "Authorization will not help", but they really mean "HTTP authentication" (WWW-Authenticate)
Solution 2
403 I believe is technically correct (and probably most effective if you are implementing a custom API / protocol).
401 is not appropriate as it refers to authorization with a WWW-Authenticate header, which a session cookie is not.
If this is a public facing website where you are trying to deny access based on a session cookie, 200 with an appropriate body to indicate that log in is needed or a 302 temporary redirect to a log in page is often best.
Related videos on Youtube
10 : 22
08 : 16
12 : 27
17 : 21
07 : 24
15 : 52
16 : 05
04 : 45
06 : 21
22 : 56
17 : 01
08 : 34
deamon
Updated on May 10, 2022Comments
-
deamon almost 2 years
HTTP defines the status 401 Unauthorized for missing authentication, but this status only applies to HTTP authentication. What status should I return with a session cookie based system, when an unauthorized request happens?
-
Erik Philips over 13 yearsThis means the user should not EVER attempt the request again. This is not appropriate. -
userx over 13 yearsTechnically, I believe you are correct. In the case of practical implementation, I believe a 200 with an HTML based error message or 302 redirecting to another page where session based login can occur is more common (and perhaps arguably more useful).
-
userx over 13 years@Erik Philips - This is correct, the request shouldn't be. Once the headers of the request are altered to have a correct session cookie (hence not the SAME request), access will be granted.
-
deamon over 13 yearsIs there a RFC defining 401.1?
-
Julian Reschke over 13 yearsHTTP status codes consist of three digits. There is no such thing as NNN.N on the wire (except maybe in the message, which doesn't carry any meaning) -
Julian Reschke over 13 yearsThis would be fixable my actually defining a cookie-based HTTP authentication scheme.
-
Admin over 13 yearsI couldn't find any RFC on 401.1 -
userx over 13 years@Julian Reschke - Well cookies don't by definition have much to do with authentication; primarily, they are adding some amount of "state" to a "state-less" protocol, HTTP. Cookies themselves don't authenticate anything. They are simply information being sent to a server which that server previously asked the browser to save. Yes, that information can be used for determining if you previously were authenticated as a user (typically via HTTP POST / GET). It also can simply be used to indicate whether you've seen a particular ad before, or visited that site before and when, etc.
-
Admin over 13 yearsI didn't make 401.1 up, it's being used by microsoft in sites using asp.net technology. I couldn't find any other reference other than from microsoft.
-
JakubKnejzlik almost 10 yearsI don't know if it's not misleading to strongly reference the authorization METHOD. IMO it doesn't matter if the authorization is transferred over cookies or header field, the critical information of the status code is if the reason of the failure is due to unauthorized request (token expired/not specified – 401) or if the user is not approved to access this resource and there is no way to change it with his "account" (403).
-
Bergi over 3 years
