Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

@authenticated should raise HTTPError(401), not HTTPError(403) #687

Closed
clarkorz opened this Issue · 1 comment

2 participants

@clarkorz

according to rfc2616 section 10.4.2 and 10.4.4, @authenticated should raise 401 when authentication failed, not 403.
403 means you can't get the resource even if you have passed the authentication.

@bdarnell
Owner

But the spec also says that 401 responses MUST include a WWW-Authenticate challenge, which isn't appropriate for cookie-based authentication. Neither response code is ideal, but common practice is to use 403 even though the semantics aren't quite right instead of using a 401 without a WWW-Authenticate.

@bdarnell bdarnell closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.