-- Marian Meres <[email protected]> wrote (on Friday, 19 March 2010, 08:43 AM +0100): > what kind of HTTP response codes would you suggest using when > accessing a page which requires user to be logged in and there is no > current identity present? > > Initially I thought about "401 Unauthorized", but the definition says: > "The response MUST include a WWW-Authenticate header field containing > a challenge applicable to the requested resource" where I'm not sure I > know what that means...
I've used a 401 error code quite a number of times, and consider it perfectly valid. While the spec indicates the WWW-Authenticate header is required, I have yet to see a browser that acts on it, nor can I think of any apps off hand that actually use it; I certainly haven't seen any negative side-effects from not supplying it. So, based on that anecdotal evidence... I'd go ahead and use it. > I also thought about "403 Forbidden", but again from the definition: > "Authorization will not help and the request SHOULD NOT be repeated" > does not look like a good choice. > > Or forget it and stick with good old "200 OK"? -- Matthew Weier O'Phinney Project Lead | [email protected] Zend Framework | http://framework.zend.com/ PGP key: http://framework.zend.com/zf-matthew-pgp-key.asc
