StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POCorrect http status code for resource which requires authorization
primarykey
Id
8389253
data
AcceptedAnswerId
0
AnswerCount
8
ClosedDate
CommentCount
4
CommunityOwnedDate
CreationDate
2011-12-05T17:23:09.867
FavoriteCount
22
LastActivityDate
2017-06-22T08:54:17.020
LastEditDate
2017-05-23T12:03:01.573
LastEditorUserId
-1
OwnerUserId
508666
ParentId
0
PostTypeId
1
Score
56
ViewCount
15765
LastEditorDisplayName
text
Body
There seems to be a lot of confusion about the correct http status code to return if the user tries to access a page which requires the user to login. So basically what status code will be send when I show the login page? I'm pretty sure we need to use a status code in the <code>4xx</code> range. I'm not talking about HTTP authentication here, so that's at least 1 status code we aren't going to use (<code>401 Unauthorized</code>). Now what should we use? The answers (also here on SO) seem to vary: According to the answer <a href="https://stackoverflow.com/questions/4301877/http-status-code-for-missing-authentication#answer-4301901">here</a> we should use <code>403 Forbidden</code>. But in the description of the status code is: <blockquote> Authorization will not help and the request SHOULD NOT be repeated. </blockquote> Well that doesn't look like the right one. Since authorization WOULD help. So let´s check out some other answer. The answer <a href="https://stackoverflow.com/questions/2839585/what-is-correct-http-status-code-when-redirecting-to-a-login-page#answer-2839594">here</a> even doesn't use the <code>4xx</code> range at all but rather uses <code>302 Found</code> The description of the <code>302 Found</code> status code: <blockquote> The requested resource resides temporarily under a different URI. Since the redirection might be altered on occasion, the client SHOULD continue to use the Request-URI for future requests. This response is only cacheable if indicated by a Cache-Control or Expires header field. </blockquote> I think that also isn't what I want. Since it is not the requested resource which resides under a different URI. But rather a completely different resource (login page vs authenticated content page). So I moved along and picked another <a href="https://stackoverflow.com/questions/6110672/correct-http-status-code-for-login-form#answer-6110891">answer</a> surprisingly with yet another solution. This answer suggest we choose <code>400 Bad Request</code>. The description of this status code is: <blockquote> The request could not be understood by the server due to malformed syntax. The client SHOULD NOT repeat the request without modifications. </blockquote> I think the server understood the request just fine, but just refuses to give access before the user is authenticated. Another <a href="https://stackoverflow.com/questions/4301877/http-status-code-for-missing-authentication#answer-4301905">answer</a> also says a <code>403</code> response is correct, however it ends with: <blockquote> If this is a public facing website where you are trying to deny access based on a session cookie [that's what I do], 200 with an appropriate body to indicate that log in is needed or a 302 temporary redirect to a log in page is often best. </blockquote> So <code>403</code> is correct, but <code>200</code> or <code>302</code> is THE BEST. Hey! That's what I am looking for: THE BEST solution. But shouldn't the best be the same as the correct one? And why would it be the best? Thanks to all who have made it this far into this question :) I know I shouldn't worry too much about it. And I think this question is more hypothetical (not really, but used it because of lack of a better word). But this question is haunting me for some time now. And if I would have been a manager (who just picked up some cool sounding words as they always do) I would have said: but, but, but, but restfulness is important. :-) So: what is <code>the right way™</code> of using a status code in the above situation (if any)? tl;dr What is the correct http status code response when a user tries to access a page which requires login?
Tags
<rest><http-status-codes>
Title
Correct http status code for resource which requires authorization
singulars
PostAcceptedAnswerId
1. This table or related slice is empty.
PostParentId
1. This table or related slice is empty.
PostTypePostTypeId
1. PTQuestion
UserLastEditorUserId
1. USCommunity
UserOwnerUserId
1. USPeeHaa
plurals
PostLinksPostIdRelatedPostId
1. PL
 singulars
 LinkTypeLinkTypeId
 LTLinked
2. PL
 singulars
 LinkTypeLinkTypeId
 LTLinked
3. PL
 singulars
 LinkTypeLinkTypeId
 LTLinked
PostLinksRelatedPostIdPostId
1. PL
 singulars
 LinkTypeLinkTypeId
 LTLinked
PostsAcceptedAnswerId
1. This table or related slice is empty.
PostsParentIdCreationDate
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
2. PO
 singulars
 PostTypePostTypeId
 PTAnswer
3. PO
 singulars
 PostTypePostTypeId
 PTAnswer
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 POCorrect http status code for resource which requires authorization
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
2. VO
 singulars
 PostPostId
 POCorrect http status code for resource which requires authorization
 UserUserId
 USPeeHaa
 VoteTypeVoteTypeId
 VTBountyStart
3. VO
 singulars
 PostPostId
 POCorrect http status code for resource which requires authorization
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
CommentsPostId

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.