Best IT Recipes

What http status code should be used to inform the client that the session timeout?

On the web page, it uses the connection manager / YUI data source to send AJAX requests to the server, if the session (which contains information about whether the user has been authenticated) is already disconnected, these ajax responses that can only be viewed by authenticated users should return an http status code, telling the client that the session has already been calculated, and the client either simply redirects it to the login page or asks if it wants to extend the session.

My question is, in this situation, which http status code is most suitable for telling the client that the session has a timeout?

List of HTTP Status Codes from the Wiki

+58
ajax php yui
Oct 31 '09 at 5:19
source share
9 answers

Best of all, I can offer an HTTP 401 status code with a WWW-Authenticate header.

The problem with 403 requests is RFC 2616 : "Authorization will not help, and the request SHOULD NOT be repeated." (i.e. it doesn’t matter if you are authenticated or not, you won’t ever get access to this resource ever).

The problem with 401 requests is that they "MUST include a WWW-Authenticate header field." As someone pointed out , he does not violate the specification in order to use a custom value in the WWW-Authenticate header.

I see no reason in RFC 2617 why the status of HTTP 401 in combination with a custom WWW-Authenticate header like this will not be all right:

WWW-Authenticate: MyAuthScheme realm="http://example.com"

The oAuth spec actually seems to do just that, as they recommend it (although they mean an odd interpretation of the RFC)

 WWW-Authenticate: OAuth realm="http://server.example.com/"

This, apparently, does not make much sense in the RFC, but I can’t see that it is prohibited by it (it does not seem to conflict with any MUST or SHOULD, SHOULD or SHOULD be able to).

I would like to have a more specific HTTP status code for timeouts, and for things like CSRF tokens were invalid, so that was clearer.

+51
Apr 13 '12 at 4:40
source

I would recommend HTTP 401.

While 403 basically says: “You are not allowed, they leave and do not return,” 401 says: “We don’t know if you are allowed or not because you did not bring your IDs. Go, try again.

Compare Wikipedia definitions :

HTTP 403 . The request was a legal request, but the server refuses to respond to it.

HTTP 401 - Similar to 403 Forbidden, but specifically for use when authentication is possible, but it failed or has not yet been provided.

+24
Mar 02 2018-12-12T00:
source

What about 419 - this is not a standard, but the Wikipedia description seems to correspond:

419 Authentication Timeout

Not part of the HTTP standard, 419 Authentication timeout means that previously valid authentication has expired. It is used as an alternative to 401 Unauthorized, to distinguish from otherwise authenticated clients, resources are denied access to a specific server.

+16
Jun 21 '13 at 15:16
source

I believe that the corresponding code will be 403 / Forbidden. There are no direct connections to sessions.

+13
Oct 31 '09 at 5:35
source

True, there is no standard HTTP status code for the session timeout. Sessions are implemented in the application layer and not in the HTTP transport layer.

There is a special status code that Microsoft uses for the session timeout: 599 or simply composes its own status code in the 5xx range.

From the Wiki status codes:

599 Network connection timeout error (unknown) This status code is not specified in any RFC, but is used by Microsoft Corp. proxies. HTTP to signal the timeout of the network connection behind the proxy server in front of the client in front of the proxy server.

I use the custom status code 599 for the session timeout, and then check it in the AJAX response.

+11
Nov 29 '12 at 19:40
source

According to the Wikipedia link for the HTTP status codes given above by Bobo:

 440 Login Timeout (Microsoft) A Microsoft extension. Indicates that your session has expired.
+8
Mar 18 '14 at 15:45
source

Technically, the accepted answer is correct: if you already know for sure that you will refuse the request and you ask which rejection code is returned, then HTTP 401 "Unauthorized (Unauthenticated)" is the appropriate one to request re-authentication.

But first of all, ask yourself: if you do not fulfill the request?

Note that the user can simply visit the public page of your site, in which case you are going to hit them in the face with "Unauthorized!". and require re-authentication in order to view the page that they would normally see without authentication. Is not cool.

My advice is to ignore the fact that the session token is unknown, and just start creating a new session token and create a new session for it. The initial state of the session, of course, will be “not yet authenticated”, therefore, if the user tries to access a non-public page, the page will ensure that they receive HTTP 401 “Unauthorized (not authenticated)” and must be authenticated. But if the user lands on a public page, they will not notice anything else.

0
Apr 17 '17 at 22:08
source

Code 408. "Request Timeout" seems perfect - RFC 2616 explains what that means

The client did not issue a request for a time when the server is ready to wait.

ie, exactly the "timeout" as you need!

-2
Oct 31 '09 at 5:27
source

For requests other than Ajax, I use 302 redirection.

For Ajax requests, I use 200 for known errors. That way I can use a data object. I find that a data object is easier to work than parsing jqXHR for information. And then I do not need to worry about which HTTP status code I can try to reassign for my situation.

JQuery example:

 $.ajax({ //send data to server }) .done(function(data, textStatus, jqXHR) { if (data.success) { //then process return data } else { //get error type or message from data object //could use custom error codes } }) .fail(function(jqXHR, textStatus, errorThrown) { //handle unknown errors });
-2
Jun 10 '13 at 5:15
source


More articles:


All Articles