Frage
I noticed today that when you try to log in to Amazon and get your password wrong it returns a 200 OK response. I'm sure most websites also operate in this fashion. Semantically speaking, is this really the appropriate code to return? Wouldn't a code of 401 Unauthorized make more sense or am I thinking of that status code in the wrong way?
Lösung 2
If I am sending the data via ajax I will use jQuery's .done() and .fail() functions. If the login failed for any reason I want to invoke the methods in .fail() So I will send back a 400 (bad request) header, otherwise the methods in .done() would be fired.
But if you were redirecting to a login page with the failed details then yes, a 200 would be appropriate.
Andere Tipps
Think of it this way: You're authorized to see the failed log-in page, therefore a 200 HTTP status code is appropriate.
Since we are talking about web sites which are displayed in the web browser HTTP code 200 OK is right. Since the user is allowed to see the page which displays "Authentication failed".
When the user (or web service client) tries to access a resource which he shouldn't belong to 401 Unauthorized would be appropriate.
401 is reserved for authentication in the HTTP layer:
The response MUST include a WWW-Authenticate header field
You are talking about applications which were designed to implement authentication without http's authentication. Therefore it's consistent not to reflect failures by HTTP status code.
https://stackoverflow.com/questions/21500091
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian