> If all you send is a 403, the user has no means of logging in. > Browsers only display the login box if a 401 response has been received. well, 401 is unauthorized - but the anonymous is authorized. thus a 403 forbidden should be sent, since the user is forbidden to write content.
we should avoid using the default basic auth and use form-based auth instead. this way you can send along your auth cookie and everything works. > If a user is properly logged in and his privileges do not allow to > access a potion of content, 403 is the right response. But in the case > of the anonymous user that has been logged in by default without ever > giving the user the possibility to log-on, 401 would be the correct > response. i think it's the job of the client to ensure this. -- -----------------------------------------< [EMAIL PROTECTED] >--- Tobias Bocanegra, Day Management AG, Barfuesserplatz 6, CH - 4001 Basel T +41 61 226 98 98, F +41 61 226 98 97 -----------------------------------------------< http://www.day.com >---
