ansaurus

Question

What http status code is supposed to be used to tell the client the session has timed out?

Answer 1

+2 A:

HTTP is a state-less protocol. There really isn't a status associated with "session timeout". Since session is a concept enforced by an application server, some 5xx error would probably be most appropriate.

AJ 2009-10-31 05:25:44

Answer 2

+2 A:

Code 408. "Request timeout", seems perfect -- RFC 2616 explains it means

The client did not produce a request within the time that the server was prepared to wait.

i.e., exactly a "time-out", just as you require!

Alex Martelli 2009-10-31 05:27:50

Ah, but take a look at the rest of the definition:"The client may repeat the request without modifications at any later time.""Without modifications" would imply that a new session could be created simply by reloading/refreshing the request. In most cases, when authentication is being used, the user would have to login again first.

AJ 2009-10-31 05:33:09

@AJ, of course the repeated request may run into an authentication challenge (HTTP code 401) -- don't see anything in HTTP specs forbidding **that**, can you point to anything?

Alex Martelli 2009-10-31 05:43:16

408 tells the client that they should just try re-submitting the request as is, which obviously can't work if the session has timed out.

Tim Post 2009-10-31 11:37:58

Answer 3

+3 A:

I believe the appropriate code is going to be 403/Forbidden. There aren't any that are directly related to sessions.

Jason 2009-10-31 05:35:05

Absolutely this is the correct answer. Since the session has timed out, the request is forbidden, so this is the best choice.

marcc 2009-10-31 05:37:48

403 tells the client (basically) "Don't do that again unless you modify your request" , but if the session was established, no modification would be needed. Furthermore, you can't do anything to the (current) request to re-establish the session in most cases.

Tim Post 2009-10-31 11:37:00

Answer 4

+2 A:

If I had to pick one, I'd use a 307 (temporary redirect). Depending on how your URIs are structured, its likely that the client should continue to try the request just as they did in the future, with a current exception being that they need to login first.

Really, none of them fit the problem.

For the morbidly curious, here is the spec:

10.3.8 307 Temporary Redirect

   The requested resource resides temporarily under a different URI.
   Since the redirection MAY be altered on occasion, the client SHOULD
   continue to use the Request-URI for future requests.  This response
   is only cacheable if indicated by a Cache-Control or Expires header
   field.

   The temporary URI SHOULD be given by the Location field in the
   response. Unless the request method was HEAD, the entity of the
   response SHOULD contain a short hypertext note with a hyperlink to
   the new URI(s) , since many pre-HTTP/1.1 user agents do not
   understand the 307 status. Therefore, the note SHOULD contain the
   information necessary for a user to repeat the original request on
   the new URI.

   If the 307 status code is received in response to a request other
   than GET or HEAD, the user agent MUST NOT automatically redirect the
   request unless it can be confirmed by the user, since this might
   change the conditions under which the request was issued.

Tim Post 2009-10-31 05:57:19

ansaurus

tags:

views:

answers:

What http status code is supposed to be used to tell the client the session has timed out?

related questions