1

I read a lot about using http 403 or http 401 for managing unauthorized requests.

I think that if my application uses one phase authentication then using http 403 is more appropriate. since the http 401 response definition indicates that authentication is required, so if a user is not loggin and he tries to access a page then the application should require a username/password. but if the user is authenticated and the application have only one phase authentication then returning 403 is the right code if the user is not authorized, since even if the user re-type his username and password ,, then nothing will chnage. but if my application requires two phase authentication ,for example to enter a second password then returning http 401 will be more appropriate. so can any one aivce ?

John John
  • 1
  • 72
  • 238
  • 501
  • 1
    It boils down to the difference between authentication versus authorization. This answer will clarify it further http://stackoverflow.com/a/6937030/1144203 – ivan.sim Aug 07 '14 at 16:36
  • but is it a standard way to return 403 for unauthorized requests and specify a custom error message something such as "Sorry, you do not have the required permissions to access to Page " .for example inside my asp.net application , to return new HttpStatusCodeResult(403,"Sorry, you do not have the required permissions to access to Page"); – John John Aug 07 '14 at 16:47
  • I have seen it done either way, i.e. with or without a custom error message. The RFC says, "...If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. If the server does not wish to make this information available to the client, the status code 404 (Not Found) can be used instead." – ivan.sim Aug 07 '14 at 17:04
  • Also, if you are working with IE, one caveat is that your error message has to be "big enough". Otherwise, IE will display its own default error page http://www.404-error-page.com/404-error-page-too-short-problem-microsoft-ie.shtml – ivan.sim Aug 07 '14 at 17:05

0 Answers0