在“未经身份验证"中使用什么HTTP代码?和“未授权"例? [英] What HTTP code to use in "Not Authenticated" and "Not authorized" cases?
问题描述
我了解到,在以下情况下必须使用"401未经授权" 代码用户:
I read that "401 Unauthorized" code must be used when a user:
- 未登录,但需要登录(未通过身份验证");
- 已登录,但他的个人资料不允许看到该网址(未授权");
根据RFC,在两种情况下,服务器都必须返回401
代码.
但是我需要在我的ajax请求中加以区分.
According to RFC, in both cases server must return 401
code.
But I need to differentiate then in my ajax requests.
有人提示解决这个问题吗?
Anybody have a tip to solve this?
注意:根据RFC,我不想使用403 Forbidden
代码,因为在403 "Authorization will not help"
中.
Note: I don't want to use 403 Forbidden
code, because in 403 "Authorization will not help"
, according to RFC.
推荐答案
除了应满足特定于应用程序的状态代码外,还应传递自定义标头.
You should pass a custom header in addition to the status code for application specific needs.
我相信当前的做法是在X-
I believe the current practice is to preface custom headers with X-
在评论中张贴的 RFC 3864 (日期为2004年9月):
From the RFC 3864 posted in the comments (dated September 2004):
在某些情况下(特别是HTTP [24]),标头语法和用法为 针对特定应用进行了重新定义. [...] 在某些情况下,相同的字段名称可能会以不同的方式指定(通过 不同的文档)以用于不同的应用程序协议. [...] 我们需要容纳特定于应用程序的字段,同时希望 承认和促进(在适当情况下)其他领域的共同点 跨多个应用程序.
In some cases (notably HTTP [24]), the header syntax and usage is redefined for the specific application. [...] In some cases, the same field name may be specified differently (by different documents) for use with different application protocols. [...] We need to accommodate application-specific fields, while wishing to recognize and promote (where appropriate) commonality of other fields across multiple applications.
在最近的RFC( 6648 ,日期为2012年6月)中,它们专门针对X-
标头.
In a more recent RFC (6648, dated June 2012), they specifically address X-
headers.
不赞成在X中为新定义的参数使用"X-"约定 应用协议,包括已建立的新参数 协议. [...]不建议您反对私人做法, 本地的,初步的,实验的或特定于实现的 参数,仅反对使用"X-"和类似的结构 这些参数的名称.
Deprecates the "X-" convention for newly defined parameters in application protocols, including new parameters for established protocols. [...] Does not recommend against the practice of private, local, preliminary, experimental, or implementation-specific parameters, only against the use of "X-" and similar constructs in the names of such parameters.
要注意的是,虽然X-
特别地 被注释,但是它们仍然隐式纵容自定义标头,以作为传输信息的一种方式.特定于应用程序的前缀(MyApp-
)可能更适合避免与任何其他标头冲突.
Important to note is that while X-
is specifically noted, they do still implicitly condone custom headers as a way of transferring information. An application specific prefix (MyApp-
) might be more appropriate to avoid ever colliding with any other headers.
另请参见:使用几年前HTTP响应中的X-"标头.
这篇关于在“未经身份验证"中使用什么HTTP代码?和“未授权"例?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!