Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP


@authenticated should raise HTTPError(401), not HTTPError(403) #687

clarkorz opened this Issue · 1 comment

2 participants


according to rfc2616 section 10.4.2 and 10.4.4, @authenticated should raise 401 when authentication failed, not 403.
403 means you can't get the resource even if you have passed the authentication.


But the spec also says that 401 responses MUST include a WWW-Authenticate challenge, which isn't appropriate for cookie-based authentication. Neither response code is ideal, but common practice is to use 403 even though the semantics aren't quite right instead of using a 401 without a WWW-Authenticate.

@bdarnell bdarnell closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.