To inform users of denied access, is it better to redirect to a different page/document using HTTP headers or is it best to incorporate a message in the dynamic page?

Question

I would like to know what is the best practice for informing a user that their access attempt was denied. I realize there are probably more options, but these are the methods I'm considering:

1. Inform a user on a dedicated "Access Denied" page reached when my script redirects them via header("Location:")
2. Inform a user in message in the requested dynamic page

I'd like to know the pros vs cons. Currently I can come up with these:

1. Pro for redirection : possibly more obfuscated?
2. Pro for message in requested page : less requests on the HTTP server?

Answer 1

Redirect to an error page or an error controller/action in the current request( if you are using some MVC-structure).

And also make sure that you send the correct HTTP headers(code 401 is the right one for access denied) so that a search robot or similar understands what's going on.

1. Pro for redirection : possibly more obfuscated?

What's the point of obfuscating?

2. Pro for message in requested page : less requests on the HTTP server?

Nearly all your traffic will be used by serving content that isn't access denied pages. So I don't really think that's a reason to decide for the one or the other. It's not like users will be F5-hammering on sites they can't access anyway.

EDIT: To summuarize: It doesn't really make a difference, but if you can try not to redirect and make sure that the proper headers are sent.

EDIT2: As James Wheare pointed out in the comments it's against the HTTP spec to redirect to an error page. In other words: Do not redirect, but print the error directly on the page where it occured along with the proper headers.

Answer 2

What percentage of your password failures are illegitimate access attempts, and what percentage are mistyped passwords? If it's mostly the former, yeah, redirect them to a separate HTTP page if you think that'll make it more inconvenient for them.

On the other hand, if you just put a message on the same page, you make it much easier for legitimate customers to enter their correct password.

Answer 3

Don’t use a redirect. Better send a proper status code (e.g. 406) together with the error document.

Answer 4

I would advise strongly against redirecting for the simple reason that the original URL is no longer editable.

If I made a typo in the url:

http://example.com/users/jwheared

And got redirected to:

http://example.com/denied

It's more of a hassle for me to now correct my typo:

http://example.com/users/jwheare

This same principle applies to 404 or any other error page. Also if it's a temporary server error, redirecting to a different URL removes the ability to wait a bit and then just refresh the page later.

In addition to this user centric advise, the error page should be served with a relevant HTTP error code (probably 401 Unauthorized as mentioned in other answers).

Best practice is to follow the HTTP spec, and none of the 3xx redirection status codes apply to the situation you described.

Edit: Another important point is that this will potentially harm your search engine performance. If a crawler visits an unauthorised page and receives a redirect, it will see all your unauthorised pages as one, and potentially boost the ranking of the error page. If you send the correct error headers, then the crawler is more likely to correctly identify that URL as unauthorised and just ignore it.

Web crawlers are often dumb clients that implement the bare minimum of the HTTP spec. It pays to think about them as well as people using a web browser.