tags:

views:

256

answers:

2
+3  Q: 

403 Forbidden vs 401 Unauthorized HTTP responses

For a web page that exists, but for which a user that does not have sufficient privileges, (they are not logged in or do not belong to the proper user group), what is the proper HTTP response to serve? 401? 403? Something else? What I've read on each so far isn't very clear on the difference between the two. What use cases are appropriate for each response?

+1  A: 

According to RFC 2616 (HTTP/1.1) 403 is sent when:

The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. If the server does not wish to make this information available to the client, the status code 404 (Not Found) can be used instead

In other words, if the client CAN get access to the resource by authenticating, 401 should be sent.

Cumbayah  2010-07-21 07:26:43
And if it's not clear if they can access or not? Say that I have 3 user levels - Public, Members, and Premium Members. Assume that the page is for Premium Members only. A public user is basically unauthenticated and *could* be in either Members or Premium Members when they log in. For the Member user level, a 403 would seem appropriate. For Premium Members, the 401. However, what do you serve the Public?
VirtuosiMedia  2010-07-21 07:40:32
Thanks for the help. Between you and Oded, I think I get the difference.
VirtuosiMedia  2010-07-21 07:53:49
+1  A: 

See the RFC:

401 Unauthorized:

If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials.

403 Forbidden:

The server understood the request, but is refusing to fulfill it.

Update

From your use case, it appears that the user is not authenticated. I would return 401.

Oded  2010-07-21 07:28:08
For the use case in my question, which would be better? Both seem like they could apply.
VirtuosiMedia  2010-07-21 07:33:07
@VirtuosiMedia - answer updated. Use a 401, as they are not authenticated.
Oded  2010-07-21 07:38:34
Thanks, that helped clarify it for me. I'm using both - the 401 for unauthenticated users, the 403 for authenticated users with insufficient permissions.
VirtuosiMedia  2010-07-21 07:51:51
@VirtuosiMedia - sounds about right :)
Oded  2010-07-21 07:53:45

related questions

jQuery not loading
Webpages cannot access folders. (IIS)
How to generate sample 401, 403 http responses?
Automatic IIS6 403.4 redirect to SSL not working
403 error after adding javascript to masterpage for sharepoint.
Strange Sharepoint 403 error
Http 403 or 404 for accessing restricted WEB resource?
MVC routing is not handling one of my directories
403 error in Google App Engine with staticdir
sharepoint website error 403
Browser behavior on 403 Forbidden error
Apache Forbidden error on clean CentOS install
WebRequest C# 403 Error
Is there a way to force apache to return 404 instead of 403?
Why does wcf web service hosted in iis over ssl. result in "403 forbidden"? Jquery $.post sends OPTIONS verb?
Drupal6: Accessing node info from hook_preprocess_page(&$vars)
apache mod_security says - Access Denied error
Automatic Request to a web Page
Whats wrong with this 403 error redirect
ProxyPassMatch directive problems
The remote server returned an error: (403) Forbidden.
SharePoint 403 error for users not exist in "All People"
Problem redirecting 403 Forbidden to 404 Not Found.
git instaweb gives 403 Forbidden - No projects found
Apache gives me 403 Access Forbidden when DocumentRoot points to two different drives