: Best way to respond to an authentication request via HTTPS I'm implementing a very simple authentication scheme. Username:Password are sent (via header of an HTTPS POST request) to a PHP file
I'm implementing a very simple authentication scheme. Username:Password are sent (via header of an HTTPS POST request) to a PHP file on an Apache server that checks whether that combination is in a MySQL database or not and whether it has expired.
As I'm fairly new to web engineering (if you can call what I do that), I'm a little unsure how to execute the response.
Should I return true or false (or something like this that shows whether authentication worked or not) in the body of the HTTPS response - or in the header (both of which would be HTTP status code 200, I guess)? Or would it be best practice to return with status code such as 200 for successful auth and something like 401 Unauthorized in case the user:pass combination was not found/is expired?
More posts by @Moriarity557
1 Comments
Sorted by latest first Latest Oldest Best
It would be usual to return the appropriate HTTP status code to indicate success/failure, as you suggest. A 200 for success, 401 (or 403) for failure. However, strictly speaking, a 401 status should be accompanied by a WWW-Authenticate response header. And maybe an access token (cookie) for persistent connections (although this might just be stored in the session).
What you return in the response body is really up to you and in many ways is dependent on the type of the request. If the request is from an HTML form submission then it would be usual to send an HTML response - the user wants to see something. If you are building an API or sending an AJAX request then maybe you don't need to send any response body, or maybe a plain text error, or an XML / JSON string with a structured (error) response?
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.