What is correct HTTP status code when redirecting to a login page?

HttpRedirectHttp Status-Codes

Http Problem Overview

When a user is not logged in and tries to access a page that requires login, what is the correct HTTP status code for a redirect to the login page?

I am asking because none of the 3xx response codes set out by the W3C seem to fit the requirements:

> 10.3.1 300 Multiple Choices > > The requested resource corresponds to > any one of a set of representations, > each with its own specific location, > and agent- driven negotiation > information (section 12) is being > provided so that the user (or user > agent) can select a preferred > representation and redirect its > request to that location. > > Unless it was a HEAD request, the > response SHOULD include an entity > containing a list of resource > characteristics and location(s) from > which the user or user agent can > choose the one most appropriate. The > entity format is specified by the > media type given in the Content- Type > header field. Depending upon the > format and the capabilities of > > the user agent, selection of the most > appropriate choice MAY be performed > automatically. However, this > specification does not define any > standard for such automatic selection. > > If the server has a preferred choice > of representation, it SHOULD include > the specific URI for that > representation in the Location field; > user agents MAY use the Location field > value for automatic redirection. This > response is cacheable unless indicated > otherwise. > > 10.3.2 301 Moved Permanently > > The requested resource has been > assigned a new permanent URI and any > future references to this resource > SHOULD use one of the returned URIs. > Clients with link editing capabilities > ought to automatically re-link > references to the Request-URI to one > or more of the new references returned > by the server, where possible. This > response is cacheable unless indicated > otherwise. > > The new permanent URI SHOULD be given > by the Location field in the response. > Unless the request method was HEAD, > the entity of the response SHOULD > contain a short hypertext note with a > hyperlink to the new URI(s). > > If the 301 status code is received in > response to a request other than GET > or HEAD, the user agent MUST NOT > automatically redirect the request > unless it can be confirmed by the > user, since this might change the > conditions under which the request was > issued. > > Note: When automatically redirecting a POST request after > receiving a 301 status code, some existing HTTP/1.0 user agents > will erroneously change it into a GET request. > > 10.3.3 302 Found > > The requested resource resides > temporarily under a different URI. > Since the redirection might be altered > on occasion, the client SHOULD > continue to use the Request-URI for > future requests. This response is only > cacheable if indicated by a > Cache-Control or Expires header field. > > The temporary URI SHOULD be given by > the Location field in the response. > Unless the request method was HEAD, > the entity of the response SHOULD > contain a short hypertext note with a > hyperlink to the new URI(s). > > If the 302 status code is received in > response to a request other than GET > or HEAD, the user agent MUST NOT > automatically redirect the request > unless it can be confirmed by the > user, since this might change the > conditions under which the request was > issued. > > Note: RFC 1945 and RFC 2068 specify that the client is not allowed > to change the method on the redirected request. However, most > existing user agent implementations treat 302 as if it > were a 303 > response, performing a GET on the Location field-value regardless > of the original request method. The status codes 303 and 307 have > been added for servers that wish to make unambiguously clear which > kind of reaction is expected of the client. > > 10.3.4 303 See Other > > The response to the request can be > found under a different URI and SHOULD > be retrieved using a GET method on > that resource. This method exists > primarily to allow the output of a > POST-activated script to redirect the > user agent to a selected resource. The > new URI is not a substitute reference > for the originally requested resource. > The 303 response MUST NOT be cached, > but the response to the second > (redirected) request might be > cacheable. > > The different URI SHOULD be given by > the Location field in the response. > Unless the request method was HEAD, > the entity of the response SHOULD > contain a short hypertext note with a > hyperlink to the new URI(s). > > Note: Many pre-HTTP/1.1 user agents do not understand the 303 > status. When interoperability with such clients is a concern, the > 302 status code may be used instead, since most user agents react > to a 302 response as described here for 303. > > 10.3.5 304 Not Modified > > If the client has performed a > conditional GET request and access is > allowed, but the document has not been > modified, the server SHOULD respond > with this status code. The 304 > response MUST NOT contain a > message-body, and thus is always > terminated by the first empty line > after the header fields. > > The response MUST include the > following header fields: > > - Date, unless its omission is required by section 14.18.1 If a > clockless origin server obeys these > rules, and proxies and clients add > their own Date to any response > received without one (as already > specified by [RFC 2068], section > 14.19), caches will operate correctly. > > - ETag and/or Content-Location, if the header would have been sent > in a 200 response to the same request > - Expires, Cache-Control, and/or Vary, if the field-value might > differ from that sent in any previous response for the same > variant If the conditional GET used a strong cache validator (see > section 13.3.3), the response SHOULD > NOT include other entity-headers. > Otherwise (i.e., the conditional GET > used a weak validator), the response > MUST NOT include other entity-headers; > this prevents inconsistencies between > cached entity-bodies and updated > headers. > > If a 304 response indicates an entity > not currently cached, then the cache > MUST disregard the response and repeat > the request without the conditional. > > If a cache uses a received 304 > response to update a cache entry, the > cache MUST update the entry to reflect > any new field values given in the > response. > > 10.3.6 305 Use Proxy > > The requested resource MUST be > accessed through the proxy given by > the Location field. The Location field > gives the URI of the proxy. The > recipient is expected to repeat this > single request via the proxy. 305 > responses MUST only be generated by > origin servers. > > Note: RFC 2068 was not clear that 305 was intended to redirect a > single request, and to be generated by origin servers only. Not > observing these limitations has significant security consequences. > 10.3.7 306 (Unused) > > The 306 status code was used in a > previous version of the specification, > is no longer used, and the code is > reserved. > > 10.3.8 307 Temporary Redirect > > The requested resource resides > temporarily under a different URI. > Since the redirection MAY be altered > on occasion, the client SHOULD > continue to use the Request-URI for > future requests. This response is only > cacheable if indicated by a > Cache-Control or Expires header field. > > The temporary URI SHOULD be given by > the Location field in the response. > Unless the request method was HEAD, > the entity of the response SHOULD > contain a short hypertext note with a > hyperlink to the new URI(s) , since > many pre-HTTP/1.1 user agents do not > understand the 307 status. Therefore, > the note SHOULD contain the > information necessary for a user to > repeat the original request on the new > URI. > > If the 307 status code is received in > response to a request other than GET > or HEAD, the user agent MUST NOT > automatically redirect the request > unless it can be confirmed by the > user, since this might change the > conditions under which the request was > issued.

I'm using 302 for now, until I find the correct answer.

Update & conclusion:

HTTP 302 is better since its known to have best compatibility with clients/browsers.

Http Solutions

Solution 1 - Http

I'd say 303 see other 302 Found:

> The requested resource resides temporarily under a different URI. Since the redirection might be altered on occasion, the client SHOULD continue to use the Request-URI for future requests. This response is only cacheable if indicated by a Cache-Control or Expires header field.

fits a login page most closely in my opinion. I initially considered 303 see other which would work just as well. After some thought, I'd say 302 Found is more fitting because the requested resource was found, there just is another page to go through before it can be accessed. The response doesn't get cached by default which is fine as well.

Solution 2 - Http

This is a misuse of HTTP redirection mechanism. If user is not authorized then your app must return 401 Unauthorized. In case that the user is authorized but does not have an access to the requested resource then 403 Forbidden must be returned.

You should do the redirect on client side, e.g. by javascript. status code for redirection because required authorization does not exist. Using 30x for this does not conform to HTTP.

[How to Think About HTTP Status Codes by Mark Nottingham][1] > 401 Unauthorized triggers HTTP’s request authentication mechanism.

401 Unauthorized status code requires presence of WWW-Authenticate header that supports various authentication types:

> WWW-Authenticate: <type> realm=<realm>

Bearer, OAuth, Basic, Digest, Cookie, etc

  • [Hypertext Transfer Protocol (HTTP) Authentication Scheme Registry][3]
  • [Cookie-based HTTP Authentication - DRAFT][4]

[1]: https://www.mnot.net/blog/2017/05/11/status_codes "How to Think About HTTP Status Codes by Mark Nottingham" [2]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/ "HTTP headers" [3]: https://iana.org/assignments/http-authschemes/http-authschemes.xhtml "Hypertext Transfer Protocol (HTTP) Authentication Scheme Registry" [4]: https://datatracker.ietf.org/doc/html/draft-broyer-http-cookie-auth-00 "Cookie-based HTTP Authentication - DRAFT"

Solution 3 - Http

I think the appropriate solution is the HTTP 401 (Not Authorized) header.

http://en.wikipedia.org/wiki/HTTP_codes#4xx_Client_Error

The purpose of this header is exactly this. But, instead of redirecting to a login page, the correct process would be something like:

  • User not logged try to access a login-restricted page.
  • system identifies user is not logged
  • system returns HTTP 401 header, AND display the login form in the same response (not a redirect).

This is a good practice, like providing a useful 404 page, with sitemap links, and a search form for example.

See you.

Categories
Recommended Http Solutions
Recommended Redirect Solutions
Recommended Http Status-Codes Solutions

Previous Solution:

How do you tell if a string contains another string in POSIX sh?

ShellUnix

Next Solution:

How can I have linebreaks in my long LaTeX equations?

Latex

Attributions

All content for this solution is sourced from the original question on Stackoverflow.

The content on this page is licensed under the Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) license.

Content TypeOriginal AuthorOriginal Content on Stackoverflow
QuestionVidar VestnesView Question on Stackoverflow
Solution 1 - HttpPekkaView Answer on Stackoverflow
Solution 2 - HttpFilipView Answer on Stackoverflow
Solution 3 - HttpDavis PeixotoView Answer on Stackoverflow