401未经授权与403禁止访问:用户未登录时正确的状态代码是什么? [英] 401 Unauthorized vs 403 Forbidden: Which is the right status code for when the user has not logged in?

问题描述

经过大量的Google搜索和Stackoverflowing之后，我仍然不清楚，因为许多文章和问题/答案过于笼统(包括

After lots of Googling and Stackoverflowing, it still isn't clear to me because many articles and questions/answers were too general (including 403 Forbidden vs 401 Unauthorized HTTP responses which was not specifically for my use-case).

问题:当用户尚未登录并请求查看一些仅应向登录用户显示的页面时，正确的HTTP状态代码是什么?

Question: What's the proper HTTP Status Code when the user has not logged in and requests to see some pages that should be shown only to logged-in users?

推荐答案

我找到的完全令人满意的一次性解决方案是:

The exact satisfying one-time-for-all answer I found is:

简短答案:

说明:

我们首先知道是身份验证(用户是否 已登录 ?)，然后我们进入授权(他是否具有所需的 特权 ?)，但这是使我们犯错误的关键:

While we know first is authentication (has the user logged-in or not?) and then we will go into authorization (does he have the needed privilege or not?), but here's the key that makes us mistake:

但不是关于授权而不是身份验证的"401未经授权"吗?

返回当编写HTTP规范(RFC 2616)时，这两个词可能不相同 众所周知，它们是截然不同的.从 401所涉及的描述和其他支持文本 身份验证.

Back when the HTTP spec (RFC 2616) was written, the two words may not have been as widely understood to be distinct. It’s clear from the description and other supporting texts that 401 is about authentication.

来自 HTTP状态码401未经授权和403禁止进行身份验证和授权(和OAuth).

所以也许，如果我们要重写标准！足够专注于每个单词，我们可以参考下表:

So maybe, if we want to rewrite the standards! focusing enough on each words, we may refer to the following table:

Status Code | Old foggy naming | New clear naming | Use case
+++++++++++ | ++++++++++++++++ | ++++++++++++++++ | ++++++++++++++++++++++++++++++++++
401         | Unauthorized     | Unauthenticated  | User has not logged-in
403         | Forbidden        | Unauthorized     | User doesn't have enough privilege

这篇关于401未经授权与403禁止访问:用户未登录时正确的状态代码是什么?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！