Return HTTP 401 and say client DO NOT repeat request

Question

We implemented custom authentication. User name and password are send in request body. If user or password is invalid then Server returns HTTP 401. Server is implemented with C#, MVC3 and .NET 4.0.

We faced the problem that if client received 401 then it automatically resends the same request 2 times. Actually this is issue for iOS only. iOS guys said that it happens on low level and it is out of control in application. So probably server should be able to say client do not send request again.

This is problem for us because we use Active Directory and in case of invalid password we spend 3 attempts instead of just one. So account becomes locked very soon and unexpectedly.

I found this document that says

401 Unauthorized

... The client MAY repeat the request with a suitable Authorization header field.

How to return HTTP 401 and say to client DO NOT repeat request anymore?

Answer 1

You may use 403 instead:

From W3 site:

10.4.4 403 Forbidden

The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated.

Indeed, this is a little tricky: 403 seems more appropriate when authentication was successful, but the resource requested is not allowed for the specific user, which is not your case. However, 403 means client should not repeat authentication, and this is what you want.

If the login page is to be interpreted only by humans, then you may consider returning "200 OK" and simply display the login page again (perhaps with a visible indication to the user that the login has failed).