For example : user "is trying" to enter restricted area ( i.e. admin area on webpage ) , what is better kick him out from there without a single word or inform him that this is admin area and he is forbiden to enter.
views:
88answers:
8He'll know by virtue of HTTP redirect codes (302, etc.) if he was interested, so you might as well tell him. And IE might also do it's annoying "click" "click" everytime you redirect the page.
Depending on the technology you are using, this user will probably be automatically redirected to the login page and have a chance to identify himself as an administrator.
You could send back a 404 response as though the admin pages weren't there at all.
If they're "trying" to enter, that means that they already know it's an admin area, therefore, simply deny the login. Better yet, protect the admin area so that they can't even "try" to login or get to that area at all (forbidden, IP Restricted, etc.)
Let him know that its restricted. To do otherwise smacks of security thru obscurity, and will also hinder genuine users who cannot access the area because of some other reason (they've mistyped their password, for example). At least if you let them know 'This is a restricted area, access denied) then they can eliminate the possibility that they're visiting the wrong url, for example.
users who know what to do are ok , I'm thinking about users who try to do something "from finger" , try different url parameters etc.
If they shouldn't be accessing the page in the first place, and there is no legitimate way they could of got there I wouldn't bother with any courtesy messages.
Only reason you'd have one is for the benefit of legitimate users. No point being helpful to a potential attacker.