5

The HTTP 1.1 spec says:

10.4.4 403 Forbidden

The server understood the request, but is refusing to fulfill it.
Authorization will not help and the request SHOULD NOT be repeated. [...]

Does this mean only "basic authorization", as in WWW-Authenticate: Basic? Should a 403 ever be issued for resources where some other user could potentially access the denied resource through means other than basic HTTP authentication (for example through his session cookie, OpenID, etc.)?

I'm asking this since HTTP 401 says that...

the response MUST include a WWW-Authenticate header field

...and I'm not sure if I should actually add a header like WWW-Authenticate: Custom.

Many people seem to use 403, even in cases where a simple cookie could have made the resource available. Are they all wrong?

Community
  • 1
  • 1
Camilo Martin
  • 37,236
  • 20
  • 111
  • 154

1 Answers1

3

I believe you are right that 403 should be used when the request will be denied, regardless of authorization. An example usage would be to prevent directory browsing, as described here:

http://www.checkupdown.com/status/E403.html

It is certainly possible that people are using it incorrectly where 401 should be used instead.

The differences between 401 and 403 are also discussed in this other SO question, where the consensus is that 401 is for authentication errors, and 403 is for authorization errors.

The issue of authentication versus authorization can be slightly confusing, particurlarly when the spec says:

10.4.2 401 Unauthorized

The request requires user authentication.

I think the key distinction is:

  • 401 means you are not authorized because you don't have the right authentication
  • 403 means you are not authorized regardless of authentication.
Community
  • 1
  • 1
Ergwun
  • 12,579
  • 7
  • 56
  • 83
  • 2
    By my understanding, 403 would also be appropriate if access is denied to your IP address, or your user-agent, or some other thing that you're not reasonably expected to change. 401 means "try again with the right credentials"; 403 means "go away, I don't like you." – hobbs Dec 20 '13 at 00:18
  • The requirement about `WWW-Authenticate` shouldn't be taken too literally, that's good intentions on the part of the spec authors, but the world went and invented lots of ways to auth over HTTP that aren't actually HTTP auth. – hobbs Dec 20 '13 at 00:20
  • @hobbs - that's a good point about other scenarios where 403 is appropriate. I've remove the clause "for any user" from my answer, to focus on the key distinction of authentication versus authorization, and added some more explanation of 401 versus 403. – Ergwun Dec 20 '13 at 00:29
  • @hobbs Well, it's a spec from last millenium, but still, I'm not sure if lack of the `WWW-Authenticate` would trigger HTTP login dialogs from any browsers... [This question](http://stackoverflow.com/questions/928874) makes me think Firefox would present such a login dialog but I'm not getting any. Also, wouldn't your IP address and user-agent be loosely a form of "credentials"? – Camilo Martin Dec 20 '13 at 00:37
  • I agree with your last point about the distinction between the two, but since the spec says "authorization will not help", an "authorized" user agent (different IP, etc.) shouldn't make a difference. Still, this kinda makes the potential uses of 403 very restricted. – Camilo Martin Dec 20 '13 at 02:22