Re: 401 Unauthorized - can I use it?

Henrik Frystyk Nielsen (frystyk@ptsun00.cern.ch)
Mon, 5 Dec 94 22:36:08 +0100

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Roy T. Fielding: "Re: More followups"
Previous message: Henrik Frystyk Nielsen: "Re: Where is the latest draft"
Maybe in reply to: Mary Ellen Zurko: "401 Unauthorized - can I use it?"

The 401 code is not tied to the basic  AA scheme. The WWW-Authenticate and WWW-Authorization
headers both are defined to contain extension tokens. HOwever, if you are sure that the 
server is not going to send the object to the client and the client shouldn't try again
then the right code to use is `403 Forbidden'. If using the basic AA the server should repeat
sending back a 401 code following the current spec.

Though the server can switch to a 403 code if multiple attempts have been tried, but this 
requires that the server keeps state of the connections whic his outside the scope of the
spec.

-- cheers --

Henrik

Next message: Roy T. Fielding: "Re: More followups"
Previous message: Henrik Frystyk Nielsen: "Re: Where is the latest draft"
Maybe in reply to: Mary Ellen Zurko: "401 Unauthorized - can I use it?"