I have an API endpoint and the request should have a cookie (not authentication). What would be the correct HTTP status code to return if it isn't present?
I would assume a 400 Bad Request would be the best.
Asked
Active
Viewed 5,793 times
4
cassiomolin
- 124,154
- 35
- 280
- 359
Timigen
- 1,055
- 1
- 17
- 33
-
1http://racksburg.com/choosing-an-http-status-code/ – CodeCaster Apr 18 '16 at 14:44
-
That is a very helpful post, thank you. I will say that it doesn't seem to answer my question. I get to the 400 level and see a list of headers, cookies are stored in the set-cookie header, and I don't see that in the list. – Timigen Apr 18 '16 at 14:59
-
Seems like there should be a "Resend With Cookie" and a Resend-Cookie-For-Domain header. Browsers could be configured by default to prompt if the cookie should be sent. People could trade off between maximizing privacy and maximizing availability of advertiser-financed services. – WaltK Jan 06 '20 at 16:16
2 Answers
4
No much details are provided in your question, but I guess 400 (Bad Request) is a good option:
The
400(Bad Request) status code indicates that the server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, invalid request message framing, or deceptive request routing).
However, depending on your requirements, you also could consider the 422 (Unprocessable Entity) status code, defined in the WebDAV specification, which is just an extension of the HTTP protocol:
11.2. 422 Unprocessable Entity
The
422(Unprocessable Entity) status code means the server understands the content type of the request entity (hence a415(Unsupported Media Type) status code is inappropriate), and the syntax of the request entity is correct (thus a400(Bad Request) status code is inappropriate) but was unable to process the contained instructions. For example, this error condition may occur if an XML request body contains well-formed (i.e., syntactically correct), but semantically erroneous, XML instructions.
Just remember providing a good description in the response payload explaining what's missing in the request.
Community
- 1
- 1
cassiomolin
- 124,154
- 35
- 280
- 359
1
I would consider a 403 forbidden status code for this situation - where everything else is fine but the request is missing a cookie. To copy its details from the linked reference:
The server understood the request but refuses to authorize it.
If authentication credentials were provided in the request, the server considers them insufficient to grant access
Status 401 unauthorized is for when the request lacks authentication credentials. But 401 also requires the response to contain a WWW-Authenticate header field. Based on the question, the request should have a cookie but doesn't, and it isn't a matter of authentication.
Status 400 is when the client request was erroneous, which might be a bit misleading for the scenario the OP describes.
Status 422 might be appropriate, but I think, a bit too generic since it means something on the lines of everything was okay, but the server is unable to process the request.
-
It might be helpful if the downvoter were to explain their downvote instead of downvoting willy-nilly... – ahron Jan 24 '18 at 11:17
-
IMO 403 might be the correct status code, if the cookie is meant for authentication or authorization – Sebastian Wagner Jun 05 '18 at 09:00