: Is HTTP code 401 or 403 appropriate for when a logged in user is not allowed to view the data? I am looking for a good way to return an error when an unauthenticated/unauthorised user is
I am looking for a good way to return an error when an unauthenticated/unauthorised user is trying to get a restricted access content from my site. Currently I ask the user to login, check the credentials and save, in the PHP session, the user ID and the session expiration. This information is checked each time a user is trying to access the site (all data is retrieved via PHP scripts).
If the user is not authorized, I currently return an error information, in the JSON format. This information can then be used by the front-end (HTML/JS) to "fail gracefully". But I believe a more proper way is to simply serve an HTTP error code.
However having read about codes 401 and 403 in Wikipedia and at W3C, I am confused by which one I should use. 401 seems to be the right one, but they say explicitly that it assumes the HTTP authentication mechanism. So should I use 403? But for that one they say "Authorization will not help and the request SHOULD NOT be repeated."
Also, is there a standard way to (and should I) provide information on why the access was denied (e.g. for the user agent to distinguish between user not being authorized and the session having expired)?
More posts by @RJPawlick198
1 Comments
Sorted by latest first Latest Oldest Best
Perfectly explained in this URL: web.archive.org/web/20131026070133/http://danielirvine.com/blog/2011/07/18/understanding-403-forbidden/
There’s a problem with 401 Unauthorized, the HTTP status code for
authentication errors. And that’s just it: it’s for authentication,
not authorization. Receiving a 401 response is the server telling you,
“you aren’t authenticated–either not authenticated at all or
authenticated incorrectly–but please reauthenticate and try again.” To
help you out, it will always include a WWW-Authenticate header that
describes how to authenticate.
This is a response generally returned by your web server, not your web
application.
It’s also something very temporary; the server is asking you to try
again.
So, for authorization I use the 403 Forbidden response. It’s
permanent, it’s tied to my application logic, and it’s a more concrete
response than a 401.
Receiving a 403 response is the server telling you, “I’m sorry. I know
who you are–I believe who you say you are–but you just don’t have
permission to access this resource. Maybe if you ask the system
administrator nicely, you’ll get permission. But please don’t bother
me again until your predicament changes.”
In summary, a 401 Unauthorized response should be used for missing or
bad authentication, and a 403 Forbidden response should be used
afterwards, when the user is authenticated but isn’t authorized to
perform the requested operation on the given resource.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.