49

When creating a web service (RESTful), what status code should I use when session token is invalid? Currently the one in my company sends me a 404, not found, but I think this is not correct, because the resource exists. Maybe I should use 401 Unauthorized. What do you think? What status code do you recommend me to use in this scenario? Thanks.

Ricardo
  • 2,831
  • 4
  • 29
  • 42

2 Answers2

90

401 Unauthorized.

Your existing session token doesn't authorize you any more, so you are unauthorized.

Don't forget that a session token is just a short-cut to avoid having to provide credentials for every request.

Sending 404 is incorrect because, as you observe, the resource does exist. You just don't currently have authorization to see it.

NB Don't use 403 Forbidden; the HTTP specification defines it as follows: "The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated." That doesn't apply in this case as authorization WILL help.

Colin 't Hart
  • 7,372
  • 3
  • 28
  • 51
  • 3
    No. 498 is an unofficial code used by a proprietary product. – Colin 't Hart Mar 23 '16 at 09:01
  • 1
    Wouldnt a 404 be more "secure" since i wouldnt be revealing that such a path exists. – user3711421 Apr 14 '20 at 10:15
  • 1
    @user3711421 I would check credentials before I check whether or not a resource even exists, and so return 401 without valid credentials, even if later the resource may not actually exist. So the 401 says nothing about your resources. It may help you to think of an analogy of a building protected by a card reader at the entrance. It doesn't help you to know that you want to go to room 10 on floor 40 if you don't have a valid keycard -- you're not getting in anyway. Whether or not there is a room 10 on floor 40 (or if there are even that many floors in the building) is irrelevant. – Colin 't Hart Apr 14 '20 at 10:22
  • 1
    But if i come to know the information that room 10 on floor 40 exists i can keep trying different cards. If i didnt know about room 10 on floor 40 i wouldnt even know if i am swiping for a room that exists. Now i have in mind a system which both has open and authenticated endpoints. – user3711421 Apr 14 '20 at 10:36
  • @user3711421 1) The 401 doesn't tell you whether or not the "room 10 on floor 40" exists. 2) Security through obscurity. Sooner or later word is going to get out that "room 10 on floor 40" exists. Then you better have secure "keycards". – Colin 't Hart Apr 14 '20 at 10:39
  • If a system would both have open and closed endpoints wouldn't a 401 tell you indirectly that that endpoint exists? Otherwise you would have to check auth on all /this-path-doesnt-exists and would return 401 instead of 404. But as you say, this "information leakage" is probably overkill. But it is still something to think about a lot of articles online regarding this, views varies. Linking to https://stackoverflow.com/questions/4038981/is-it-ok-to-return-a-http-401-for-a-non-existent-resource-instead-of-404-to-prev – user3711421 Apr 14 '20 at 10:57
3

Looking through the HttpStatusCode enum, I think Unauthorized is probably the closest to what you're looking for.

Take a look at the list there, and read the descriptions for each one.

Danny Beckett
  • 20,529
  • 24
  • 107
  • 134
  • 2
    I prefer to use the definitive source: http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html – Colin 't Hart Dec 16 '13 at 14:25
  • 1
    @Colin'tHart That's definitely a good source. It's pretty long though. The MSDN link serves as a good quick-reference (I actually just typed `((HttpStatusCode).` into Visual Studio, which gives you this list). – Danny Beckett Dec 16 '13 at 14:25