tags:

views:

265

answers:

6
+1  Q: 

What's the correct response to unauthorized HTTP request?

I am writing web application I am not sure what is the correct response to unauthorized request. For user it is convenient when server response with 302 and redirects him to login page. However somewhere deep inside I feel that 401 is more correct. I am also little afraid if the 302 cannot be misinterpreted by search engines.

So how do you response to your unauthorized requests?

Edit

I am using ASP.NET MVC. This is not important from theoretical point of view. However ASP.NET form authentication use 302 approach.

I also like the behavior when user is redirected after successful login to the page he was requested. I am not sure if this can be implemented with 401 approach easily.

+1  A: 

I have to agree with you that the 401 result is actually the correct response.

That said why not have a custom 401 page which is well designed and shows the unauthorised message as well as a link to the login page, which you could have a 15 second javascript countdown to automatically send them there.

This way you give the correct 401 response to a bot which is told that the page is restricted but a real user gets redirected after being told that they are accessing a secured resource.

Richard  2009-06-24 11:53:59
but that leaks some information - if you don't want people to know of the existence of the resource if they didnt have access to it, then a 404 is more appropriate (they cannot tell if something exists if its not found).
Chii  2009-06-24 11:55:58
+4  A: 

I think the correct response is entirely dependent on the context of the request. In a web application intended for human (not machine) consumption, I prefer to either redirect to login if the user is not authenticated and render an error page if the user is authenticated, but not authorized. I won't typically return an unauthorized response as it contains too little information for the typical user to help them use the application.

For a web service, I would probably use the unauthorized response. Since it is typically consumed by a program on the other end, there is no need to provide a descriptive error message or redirection. The developer using the service should be able to discern the correct changes to make to their code to use the service properly -- assuming I've done a good job of documenting interface usage with examples.

As for search engines, a properly constructed robots.txt file is probably more useful in restricting it to public pages.

tvanfosson  2009-06-24 11:55:53
+1  A: 

Send a 401 response, and include a login form on the page you return with it. (i.e. don't just include a link to the login page, include the whole form right there.)

Dave Hinton  2009-06-24 11:56:55
Is it possible to send parameters to 401 page? For example return url with address of page user was trying to access.
Jakub Šturc  2009-06-24 12:00:26
I honestly don't think sending any content back in the 401 is "correct" although it is very handy.
Kinlan  2009-06-24 12:05:42
Jakub: you don't send parameters to the 401 page. The address of the page the user was trying to access *is* the address of the 401 page. The difference is that you show the user the page they wanted if they are logged in, and show them the 401 page when they are logged out.
Dave Hinton  2009-06-24 13:41:26
OK. This sound reasonable. What about Kinlan comment? Wouldn't be 403 less incorrect?
Jakub Šturc  2009-06-24 14:08:41
403 means that nobody is allowed to view the page they were asking for, no matter what user they login as. That is not appropriate when you want them to login.
Dave Hinton  2009-06-24 14:35:31
A: 

How are the search engines going to be indexing the secured pages in the first place? Unauthorized users, such as bots, shouldn't be getting that far in the first place IMHO.

Wyatt Barnett  2009-06-24 12:02:59
links to edit or add posts may be visible to anonymous users (and search engines) - but the linked page is actually protected - so it would make sense to indicate why all these edit/add links generate the same content to search engines, wouldn't it?
HorusKol  2010-01-13 06:30:08
+1  A: 

401 seems grammatically correct, however a 401 is actually a statement presented back to the browser to ask for credentials - the browser would then expect to check the WWW-Authenticate header so that it could challenge the user to enter the correct details.

To quote the spec.

The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.47) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8). If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user SHOULD be presented the entity that was given in the response, since that entity might include relevant diagnostic information. HTTP access authentication is explained in "HTTP Authentication: Basic and Digest Access Authentication" [43].

If you do a 302 you at least guaterntee that the user will be directed to a page where they can log in if non-standard log in is being used. I wouldn't care much what search engines and the like think about 401's.

Kinlan  2009-06-24 12:05:04
+1  A: 

Don't bother about the search engines if your site is mainly used by humans. The ideal approach when a user reaches a protected page is to redirect them to a login page, så that they can be forwarded to the protected page after successful login.

You cannot accomplish that with a 401-error, unless you are planning to include a login form in the error page. From the usability point of view, the first case (302) is more reasonable.

Besides, you could write code to redirect humans to login page, and search engines to 401.

TFM  2009-06-24 12:23:55
Different behavior to humans and bots is discrimination. This cannot be right.
Jakub Šturc  2009-06-24 12:41:20
Hardly. Bots are discriminated every day, especially spambots.
TFM  2009-06-24 12:50:40

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security