Re: Auth scheme in 401 response header

> On 24 Jan 2018, at 11:56 pm, Jordan Chaitin <jordanchaitin@gmail.com> wrote:
> 
> Hi all,

Hi.

> I’m a web developer looking for an appropriate http status code for situations when the user submits an invalid password. 

Are you using the HTTP authentication framework (RFC7235), or something else? I.e., how is the password submitted?


> AFAIK, it is commonly understood that 401 is the most suitable but it requires that a WWW-Authenticate header is sent back. However, this header needs to mention the authentication type and the list of valid authentication schemes (as found at http://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml ) doesn’t include anything related to cookies. Google led me to a draft proposal by Thomas Broyer (https://tools.ietf.org/html/draft-broyer-http-cookie-auth) which seems to have quietly died almost a decade back. 

Aha.

401 is for use with the HTTP authentication framework, not cookies (unless someone specifies a cookie-based authentication scheme to make it explicit; that's been discussed in the past, but never got traction).

Using it for other things (like cookie-based auth) is going to confuse generic software (e.g., proxies, CDNs, browsers, etc.).

200 is fine here; it indicates that the request was processed successfully as far as HTTP is concerned; the application using HTTP still can have problems, but they can be conveyed in headers and/or the body.

FWIW, this may also help:
  https://www.mnot.net/blog/2017/05/11/status_codes


> I would be grateful if someone could throw some light on current guidance what authentication scheme to use in the www-auth-header with the 401 response when the user submits a wrong password.

Hope this helps.

Cheers,



--
Mark Nottingham   https://www.mnot.net/

Received on Monday, 29 January 2018 06:29:24 UTC