My question is rather similar to this Return “correct” error code, or protect privacy?, but I'd like to hear some different answers.
We have WEB site most pages of which may be visited by not logged in user. But when not logged in user tries to access resource (Page) that requires authorization (user must have FooRole role), we automatically redirect him to Login page and after providing correct credentials return back to restricted resources. What WEB site should do if user has provided correct credentials, but his access rights has happen to be not enough (he has BarRole but not FooRole)?
In current implementation we return HTTP 403 response (forbidden). But some developers argue that 404 code must be returned because it provides better security - user should not distinguish not existing and not accessible resources. From the point of security it maybe better to return 404, but in described situation user was redirected to Login page and that behavior "hints" that such page exists so it is not very logically return 404 (it is my thoughts). If user has been already authorized and tries to access restricted resources (directly modifying URL) then, well, it may be logically return 404 error.
Maybe such "auto redirect to Login" feature is not good? Can you suggest me what behavior is more "standard/good/user-friendly/hacks-free" in such situation?
Thanks!