tags:

views:

227

answers:

2
+5  Q: 

What is correct HTTP status code when redirecting to a login page?

When a user is not logged in and tries to access an page that requires login, what is the correct HTTP status code for a redirect to the login page?

I don't feel that any of the 3xx fit that description.

10.3.1 300 Multiple Choices

The requested resource corresponds to any one of a set of representations, each with its own specific location, and agent- driven negotiation information (section 12) is being provided so that the user (or user agent) can select a preferred representation and redirect its request to that location.

Unless it was a HEAD request, the response SHOULD include an entity containing a list of resource characteristics and location(s) from which the user or user agent can choose the one most appropriate. The entity format is specified by the media type given in the Content- Type header field. Depending upon the format and the capabilities of

the user agent, selection of the most appropriate choice MAY be performed automatically. However, this specification does not define any standard for such automatic selection.

If the server has a preferred choice of representation, it SHOULD include the specific URI for that representation in the Location field; user agents MAY use the Location field value for automatic redirection. This response is cacheable unless indicated otherwise.

10.3.2 301 Moved Permanently

The requested resource has been assigned a new permanent URI and any future references to this resource SHOULD use one of the returned URIs. Clients with link editing capabilities ought to automatically re-link references to the Request-URI to one or more of the new references returned by the server, where possible. This response is cacheable unless indicated otherwise.

The new permanent URI SHOULD be given by the Location field in the response. Unless the request method was HEAD, the entity of the response SHOULD contain a short hypertext note with a hyperlink to the new URI(s).

If the 301 status code is received in response to a request other than GET or HEAD, the user agent MUST NOT automatically redirect the request unless it can be confirmed by the user, since this might change the conditions under which the request was issued.

  Note: When automatically redirecting a POST request after
  receiving a 301 status code, some existing HTTP/1.0 user agents
  will erroneously change it into a GET request.

10.3.3 302 Found

The requested resource resides temporarily under a different URI. Since the redirection might be altered on occasion, the client SHOULD continue to use the Request-URI for future requests. This response is only cacheable if indicated by a Cache-Control or Expires header field.

The temporary URI SHOULD be given by the Location field in the response. Unless the request method was HEAD, the entity of the response SHOULD contain a short hypertext note with a hyperlink to the new URI(s).

If the 302 status code is received in response to a request other than GET or HEAD, the user agent MUST NOT automatically redirect the request unless it can be confirmed by the user, since this might change the conditions under which the request was issued.

  Note: RFC 1945 and RFC 2068 specify that the client is not allowed
  to change the method on the redirected request.  However, most
  existing user agent implementations treat 302 as if it

were a 303 response, performing a GET on the Location field-value regardless of the original request method. The status codes 303 and 307 have been added for servers that wish to make unambiguously clear which kind of reaction is expected of the client.

10.3.4 303 See Other

The response to the request can be found under a different URI and SHOULD be retrieved using a GET method on that resource. This method exists primarily to allow the output of a POST-activated script to redirect the user agent to a selected resource. The new URI is not a substitute reference for the originally requested resource. The 303 response MUST NOT be cached, but the response to the second (redirected) request might be cacheable.

The different URI SHOULD be given by the Location field in the response. Unless the request method was HEAD, the entity of the response SHOULD contain a short hypertext note with a hyperlink to the new URI(s).

  Note: Many pre-HTTP/1.1 user agents do not understand the 303
  status. When interoperability with such clients is a concern, the
  302 status code may be used instead, since most user agents react
  to a 302 response as described here for 303.

10.3.5 304 Not Modified

If the client has performed a conditional GET request and access is allowed, but the document has not been modified, the server SHOULD respond with this status code. The 304 response MUST NOT contain a message-body, and thus is always terminated by the first empty line after the header fields.

The response MUST include the following header fields:

  - Date, unless its omission is required by section 14.18.1 If a

clockless origin server obeys these rules, and proxies and clients add their own Date to any response received without one (as already specified by [RFC 2068], section 14.19), caches will operate correctly.

  - ETag and/or Content-Location, if the header would have been sent
    in a 200 response to the same request
  - Expires, Cache-Control, and/or Vary, if the field-value might
    differ from that sent in any previous response for the same
    variant If the conditional GET used a strong cache validator (see

section 13.3.3), the response SHOULD NOT include other entity-headers. Otherwise (i.e., the conditional GET used a weak validator), the response MUST NOT include other entity-headers; this prevents inconsistencies between cached entity-bodies and updated headers.

If a 304 response indicates an entity not currently cached, then the cache MUST disregard the response and repeat the request without the conditional.

If a cache uses a received 304 response to update a cache entry, the cache MUST update the entry to reflect any new field values given in the response.

10.3.6 305 Use Proxy

The requested resource MUST be accessed through the proxy given by the Location field. The Location field gives the URI of the proxy. The recipient is expected to repeat this single request via the proxy. 305 responses MUST only be generated by origin servers.

  Note: RFC 2068 was not clear that 305 was intended to redirect a
  single request, and to be generated by origin servers only.  Not
  observing these limitations has significant security consequences.

10.3.7 306 (Unused)

The 306 status code was used in a previous version of the specification, is no longer used, and the code is reserved.

10.3.8 307 Temporary Redirect

The requested resource resides temporarily under a different URI. Since the redirection MAY be altered on occasion, the client SHOULD continue to use the Request-URI for future requests. This response is only cacheable if indicated by a Cache-Control or Expires header field.

The temporary URI SHOULD be given by the Location field in the response. Unless the request method was HEAD, the entity of the response SHOULD contain a short hypertext note with a hyperlink to the new URI(s) , since many pre-HTTP/1.1 user agents do not understand the 307 status. Therefore, the note SHOULD contain the information necessary for a user to repeat the original request on the new URI.

If the 307 status code is received in response to a request other than GET or HEAD, the user agent MUST NOT automatically redirect the request unless it can be confirmed by the user, since this might change the conditions under which the request was issued.

I'm using 302 for now, until I find THE correct answer.

UPDATE/CONCLUTION:

HTTP 302 is better since its known to have best compability with clients/browsers.

+2  A: 

I'd say 303 see other 302 Found:

The requested resource resides temporarily under a different URI. Since the redirection might be altered on occasion, the client SHOULD continue to use the Request-URI for future requests. This response is only cacheable if indicated by a Cache-Control or Expires header field.

fits a login page most closely in my opinion. I initially considered 303 see other which would work just as well. After some thought, I'd say 302 Found is more fitting because the requested resource was found, there just is another page to go through before it can be accessed. The response doesn't get cached by default which is fine as well.

Pekka  2010-05-15 09:21:47
I agree, but i think 302 Found indicates that the resource was found, just under another url. Ex. I i want to se /my-messages/ the server answer with a 302 because "today" my messages are located in "/login/" (instead of "/messages/") ... I use 302, but I dont feel the context is 100% matching. Since the login-page is a different resource and not having the same content as requested.
PHP_Jedi  2010-05-15 09:42:08
@PHP_Jedi true. 303 may be more appropriate from that point of view. However, 302 is more reliable in terms of client compatibility.
Pekka  2010-05-15 09:44:08
Yep, I'm thinking that 303 might fit the the context better since it states "The response to the request can be found under a different URI". This is telling me that it is not the resource itself that is to be found in another URI, but only the response to this request.
PHP_Jedi  2010-05-15 09:50:00
@PHP_Jedi yup, that in combination that the response must not be cached, sounds indeed like the most correct way. However, if you are targeting a wide variety of clients (e.g. HTTP client libraries on servers), I'd still consider 302 to serve those reliably. If it's just a web site, a 303 will likely work fine.
Pekka  2010-05-15 09:51:28
303 states "This method exists primarily to allow the output of a POST-activated script...". That is not the case for me... Even if there was a POST, the login page does not output it. Ex if a user mark some messages in "/my-messages/" and POST a delete. If the session has timed out, the login page does not output any of these POST parameters.
PHP_Jedi  2010-05-15 10:14:54
@PHP_Jedi I'm not sure whether it's worth putting that much time into this. Both clients and servers in the http world have to be extremely liberal and fault-tolerant anyway, so there will be no real difference whether you use `302` or `303`, except that `302` is better known. I find the level of detail commendable and it's always good to get things right, but too much effort may be futile in this specific area.
Pekka  2010-05-15 10:38:30
+1  A: 

Hello fellas,

I think the appropriate solution is the HTTP 401 (Not Authorized) header.

http://en.wikipedia.org/wiki/HTTP_codes#4xx_Client_Error

The purpose of this header is exactly this. But, instead of redirecting to a login page, the correct process would be something like:

  • User not logged try to access a login-restricted page.
  • system identifies user is not logged
  • system returns HTTP 401 header, AND display the login form in the same response (not a redirect).

This is a good practice, like providing a useful 404 page, with sitemap links, and a search form for example.

See you.

Dave  2010-05-28 17:25:49
The RFC states:"The response MUST include a WWW-Authenticate header field (section 14.46) containing a challenge applicable to the requested resource."A 401 response is really only applicable when using an HTTP authentication scheme.
bshacklett  2010-07-30 17:43:04

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases