40

I am implementing a simple registation/login module.

While testing user credentials, I start thinking which HTTP status code will be appropriate, for the situation if a user send a request with incorrect credentials.

At first, I thought 401 Unauthorized would be a nice status code, but it seems it will be better to use it when a user is trying to get some resource without authorisation.

After, I switched to 409 Conflict

This code is only allowed in situations where it is expected that the user might be able to resolve the conflict and resubmit the request.

So, friends, please give me an advise, which status code should be used.

undefined
  • 6,208
  • 3
  • 49
  • 59
Nodari Lipartiya
  • 1,148
  • 3
  • 14
  • 24
  • using a resource without authorization should be a 403 Forbidden. – Jeremy Holovacs Oct 24 '18 at 12:30
  • @JeremyHolovacs "The HTTP 403 Forbidden client error status response code indicates that the server understood the request but refuses to authorize it. This status is similar to 401, but in this case, re-authenticating will make no difference. The access is permanently forbidden and tied to the application logic, such as insufficient rights to a resource." – onosendi Aug 26 '21 at 13:32

1 Answers1

48

If you use HTTP authentication as defined by RFC 7235, 401 would be correct (for missing or incorrect credentials).

Otherwise, use 403.

Julian Reschke
  • 40,156
  • 8
  • 95
  • 98