I am writing a small website. There is PHP session based authorization. What HTTP response code should I send, if a user doesn't have access to a certain page?
Is 412 Precondition Failed a good idea? I think 401 Unauthorized is good only for a http authorization. 400 Bad Request and 403 Forbidden looks too general.
I would use 403. It means what it says: the user is forbidden to see the page.
403 Forbidden means "the name/password you gave is invalid for this URL" - that's what you want.
401 Unauthorized means "give me name and password".
412 Precondition Failed is something completely different (related to conditional requests; see the RFC)
and 400 Bad Request means "huh? what are you talking about?" (request is malformed and server doesn't know what to do with it)
See also: RFC 2616 - HTTP 1.1
Note: If you want to show your own "you are not allowed to do this" page, make sure that it's over 512 bytes, else IE will show its own, so-called friendly error message instead (see e.g this and this).