Brad Koch
Reputation: 20267
Appropriate unauthorized response when using form based authentication
I have a web app that uses form based authentication. When an AJAX request fails due to session timeout, I need to send an appropriate notification. It looks like I could send:
- 403 Forbidden, but that implies "authorization will not help", which is false.
- 401 Unauthorized, but responses "MUST include a WWW-Authenticate header field" and the information on what exactly the value should be when using form based authentication is limited.
When an AJAX request fails because the user is not authenticated, what then is the appropriate response?
Upvotes: 1
Views: 316
Answers (1)
Szocske
Reputation: 7661
I tend to interpret 403 as "HTTP authorization will not help", and use it instead of 401 when not using HTTP authentication.
Upvotes: 1
Related Questions
- What WWW-Authenticate header should a http server return in a 401 response when using form-based authentication?
- Auth headers not working ajax 401 Unauthorized
- Using http basic authentication with Ajax call
- Returning HTTP 401 status for AJAX responses without WWW-Authenticate
- Sending authorization headers with jquery and ajax
- HTTP headers for AJAX/ denied authentication?
- Restful Authentication Through Ajax
- Authenticating/Authorising AJAX requests from client browser
- Forms Authentication and POST requests from AJAX
- Handle www-authentication request using ajax?