Re: best status code for bad auth method

On Fri, 9 Dec 2011, Adrien de Croy wrote:

> 407 also implicitly says try again, whereas 403 says don't... so I'm leaning 
> towards the 403.
> I guess the number of web browsers this will affect is about 0... so only 
> un-manned applications will see this

Surely 407 is already in wide use for this? I would expect many proxies to 
just not care about non-supported auth methods and since it didn't find a 
correct auth header, it would respond with a 407.

And in regards to it saying the client should try again, I consider it similar 
to sending an auth header with bad credentials compared to no credentials. The 
client must know what it did before when it gets a 407 back, and then change 
it accordingly before it tries again.



Received on Friday, 9 December 2011 07:48:39 UTC