Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

@authenticated should raise HTTPError(401), not HTTPError(403) #687

clarkorz opened this Issue Mar 1, 2013 · 1 comment


None yet
2 participants

clarkorz commented Mar 1, 2013

according to rfc2616 section 10.4.2 and 10.4.4, @authenticated should raise 401 when authentication failed, not 403.
403 means you can't get the resource even if you have passed the authentication.


bdarnell commented Mar 2, 2013

But the spec also says that 401 responses MUST include a WWW-Authenticate challenge, which isn't appropriate for cookie-based authentication. Neither response code is ideal, but common practice is to use 403 even though the semantics aren't quite right instead of using a 401 without a WWW-Authenticate.

@bdarnell bdarnell closed this Mar 2, 2013

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment