What does “authorization not help” mean in the HTTP specification for error 403?

Question

What does “authorization not help” mean in the HTTP specification for error 403?

10.4.4 403 Forbidden
The server understood the request, but refuses to fulfill it.
Authorization will not help , and the request MUST NOT be repeated. [...]

Does this only mean “basic resolution”, as in WWW-Authenticate: Basic? Should 403 ever be issued for resources where some other user could potentially access the forbidden resource by means other than basic HTTP authentication (for example, through his session cookie, OpenID, etc.) ?

I ask about this since HTTP 401 says that ...

the answer MUST include a field WWW-Authenticate header

... and I'm not sure if I should add a title, for example WWW-Authenticate: Custom.

Many people seem to use 403, even in cases where a simple cookie could make the resource available. Are they all wrong?

+4

http authentication standards http-status-code-403 http-status-code-401

Camilo martin Dec 20 '13 at 0:05

source share

1 answer

Ergwun · Answer 1 · 2013-12-20T00:15:40+0000

I believe that you are correct that 403 should be used when a request is rejected regardless of authorization. An example of use would be to prevent browsing directories as described here:

http://www.checkupdown.com/status/E403.html

Perhaps people are using it incorrectly if 401 should be used instead.

401 403 SO, , 401 , 403 - .

, :

10.4.2 401
.

, :

401 , ,
403 , .

What does “authorization not help” mean in the HTTP specification for error 403?

10.4.4 403 Forbidden

More articles: