igorw igorw - 1 month ago 11
reST (reStructuredText) Question

Correct HTTP status code for login form?

I am implementing the authentication for an app, and I am using a pluggable system with "authentication methods". This allows me to implement both HTTP Basic as well as HTML-based authentication.

With HTTP Basic/Digest auth the server sends a

401 Unauthorized
response header. However, according to the HTTP/1.1 RFC:


The response MUST include a WWW-Authenticate header field (section 14.47) containing a challenge applicable to the requested resource.


Since I do not know of any "html" WWW-Authenticate header, sending a
401
with an HTML login form seems inappropriate. Is there any alternative to this? I want to design my app in a RESTful way.

What is the correct HTTP Status code (and headers) for an HTML-based login form? And what is the correct code when the login fails?

Note: I am not interested in Digest Authentication.

Answer

For HTML I think you should respond with a 400.

This may be true for non-HTML requests as well, since 401 is as far as I understand it more designed to respond to a request to content that requires authentication, not to respond to an authentication request.

HTML does not always allow for pure use of RESTful APIs, so it's ok to cut corners here and there imo, but maybe there is a better way I'm not seeing in this particular case.

Comments