正确的需要授权的资源的http状态代码 [英] Correct http status code for resource which requires authorization

问题描述

如果用户尝试访问需要用户登录的页面，返回正确的http状态代码似乎有很多困惑.

There seems to be a lot of confusion about the correct http status code to return if the user tries to access a page which requires the user to login.

那么当我显示登录页面时，基本上会发送什么状态代码?

So basically what status code will be send when I show the login page?

我很确定我们需要使用4xx范围内的状态代码.

I'm pretty sure we need to use a status code in the 4xx range.

我在这里不是在谈论HTTP身份验证，因此至少我们将不使用(1)的状态码(401 Unauthorized).

I'm not talking about HTTP authentication here, so that's at least 1 status code we aren't going to use (401 Unauthorized).

现在我们应该使用什么?答案(在此处也是如此)似乎有所不同:

Now what should we use? The answers (also here on SO) seem to vary:

根据答案此处，我们应使用403 Forbidden.

According to the answer here we should use 403 Forbidden.

但是在状态码的描述中是:

But in the description of the status code is:

授权将无济于事，不应重复该请求.

Authorization will not help and the request SHOULD NOT be repeated.

看起来不正确.自授权以来将提供帮助.

Well that doesn't look like the right one. Since authorization WOULD help.

因此，让我们看看其他答案.答案此处甚至根本不使用4xx范围，而是使用302 Found

So let´s check out some other answer. The answer here even doesn't use the 4xx range at all but rather uses 302 Found

302 Found状态代码的描述:

所请求的资源临时位于其他URI下.由于重定向有时可能会更改，因此客户端应继续将Request-URI用于将来的请求.仅当由Cache-Control或Expires标头字段指示时，此响应才可缓存.

The requested resource resides temporarily under a different URI. Since the redirection might be altered on occasion, the client SHOULD continue to use the Request-URI for future requests. This response is only cacheable if indicated by a Cache-Control or Expires header field.

我认为那也不是我想要的.由于不是请求的资源位于不同的URI下.而是完全不同的资源(登录页面与经过身份验证的内容页面).

I think that also isn't what I want. Since it is not the requested resource which resides under a different URI. But rather a completely different resource (login page vs authenticated content page).

所以我继续前进，并选择了另一个 answer 令人惊讶的还有另一种解决方案.

So I moved along and picked another answer surprisingly with yet another solution.

此答案建议我们选择400 Bad Request.

此状态码的描述为:

由于语法格式错误，服务器无法理解该请求.客户端不应在未经修改的情况下重复请求.

The request could not be understood by the server due to malformed syntax. The client SHOULD NOT repeat the request without modifications.

我认为服务器可以很好地理解请求，但是只是拒绝对用户进行身份验证之前授予访问权限.

I think the server understood the request just fine, but just refuses to give access before the user is authenticated.

另一个 answer 也表示403响应是正确的，但是结尾为:

Another answer also says a 403 response is correct, however it ends with:

如果这是一个面向公众的网站，您正在其中尝试基于会话cookie拒绝访问(这就是我的工作)，请输入200(带有适当的正文以指示需要登录)或302临时重定向到登录页面通常是最好的.

If this is a public facing website where you are trying to deny access based on a session cookie [that's what I do], 200 with an appropriate body to indicate that log in is needed or a 302 temporary redirect to a log in page is often best.

所以403是正确的，但是200或302是最好的.

So 403 is correct, but 200 or 302 is THE BEST.

嘿！那就是我正在寻找的:最佳解决方案.但是最好的不应该和正确的一样吗?为什么会是最好的呢?

Hey! That's what I am looking for: THE BEST solution. But shouldn't the best be the same as the correct one? And why would it be the best?

感谢所有在这个问题上走得这么远的人:)

Thanks to all who have made it this far into this question :)

我知道我不应该对此太担心.而且我认为这个问题是假想的(不是真的，但由于缺少更好的词而使用了它).

I know I shouldn't worry too much about it. And I think this question is more hypothetical (not really, but used it because of lack of a better word).

但是这个问题困扰了我一段时间.

But this question is haunting me for some time now.

如果我会成为一名经理(他像往常一样只是听了一些很酷的话)，我会说:但是，但是，但是，宁静很重要. :-)

And if I would have been a manager (who just picked up some cool sounding words as they always do) I would have said: but, but, but, but restfulness is important. :-)

那么:在以上情况下(如果有)使用状态代码的the right way™是什么?

So: what is the right way™ of using a status code in the above situation (if any)?

tl;博士

当用户尝试访问需要登录的页面时，正确的http状态代码响应是什么?

What is the correct http status code response when a user tries to access a page which requires login?

推荐答案

如果用户未提供任何凭据，并且您的API要求使用它们，则返回401 - Unauthorized.这将挑战客户这样做.对于这种特殊情况，通常很少有争议.

If the user has not provided any credentials and your API requires them, return a 401 - Unauthorized. That will challenge the client to do so. There's usually little debate about this particular scenario.

如果用户提供了有效的凭据，但它们不足，无法访问所请求的资源(也许这些凭据用于免费增值帐户，但所请求的资源仅适用于您的付费用户)，则您有一个鉴于一些HTTP代码定义的松散，提供了两个选项:

If the user has provided valid credentials but they are insufficient to access the requested resource (perhaps the credentials were for a freemium account but the requested resource is only for your paid users), you have a couple of options given the looseness of some of the HTTP code definitions:

1. 返回403 - Forbidden.这是更具描述性的，通常被理解为所提供的凭据有效，但仍不足以授予访问权限"
2. 返回401 - Unauthorized.如果您对安全性抱有偏执，则可能不希望像上面(1)中返回的那样将额外的信息回馈给客户端.
3. 返回401或403，但在响应正文中提供有用的信息，描述拒绝访问的原因.同样，该信息可能超出您想要提供的信息，以防它在一定程度上帮助攻击者.

1. Return 403 - Forbidden. This is more descriptive and is typically understood as, "the supplied credentials were valid but still were not enough to grant access"
2. Return 401 - Unauthorized. If you're paranoid about security, you might not want to give the extra information back to the client as was returned in (1) above
3. Return either 401 or 403 but with helpful information in the response body describing the reasons why access is being denied. Again, that information might be more than you would want to provide in case it helps attackers somewhat.

就个人而言，我一直使用#1来传递有效凭据，但是与它们关联的帐户无权访问所请求的资源.

Personally, I've always used #1 for the scenario where valid credentials have been passed but the account they're associated with doesn't have access to the requested resource.

这篇关于正确的需要授权的资源的http状态代码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！