Aristotle Pagaltzis wrote:
* Andrew Rodland <[EMAIL PROTECTED]> [2008-03-12 05:55]:
Anyway, you get a 401 if the server doesn't know who you are,
and it thinks that if you were the right person you might be
able to perform that action. You get a 403 if you're not
allowed to do that despite who you may or may not be.
Exactly. 401 means “use a different set of credentials and try
again”; 403 means “go away, you don’t get to see this.”
So when would 403 happen? F.ex. if access to the resource is
restricted to certain IP ranges, and you are requesting the
resource from an IP outside of those. Or in case of Apache, you
are asking for a URI that’s served from the file system, but the
web server does not have permission to read that file. Or you
request a URI with a trailing slash, but the corresponding
directory has no `index.html` and the server is not configured
to generate directory listings.
Etc.
Note that RFC 2616 also says that the web server is allowed
to send 404 instead of 403 when it doesn’t want to reveal the
existence of a particular resource to third parties.
The RFC also says that 401 responses MUST include a WWW-Authenticate
header field, implying that it is specifically related to HTTP-level
authentication. Is there a particular status code for denying access
based on application-level authentication, or should you just use 200
for that?
Matt
_______________________________________________
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
