Is it possible to send a 401 Unauthorized AND redirect (with a Location)?

http-headers http-status-code-401 http-redirect

By definition (see RFC 2616), the HTTP 302 response code is the redirect code. Without it, the location header may be ignored.

However, you can send an HTTP 401 response and still display output. Instead of redirecting the user to an error page, you could simply write your content you want to send in the HTTP body in the same request.


I'm coming in very late here but I thought I'd add my two cents. As I understand it, the desire is to indicate that the user doesn't have the correct authorization and to prompt them to log in. Rudie understandably would like to return 401 Unauthorized (because the user needs to authorize by some mechanism, eg. logging in), and also forward them to the login page - but this is not very easy to accomplish and isn't supported out-of-the-box by most libraries. One solution is to display the login page in the body of the 401 response, as was suggested in another answer. However, let me take a look at this from the perspective of established/best practice.

Test case 1: Facebook

Navigating to a protected Facebook page (my user profile) while logged out results in a 404 Not Found response. Facebook serves up a general purpose "this page is not available" page, which also includes a login form. Interesting. Even more interesting: when I navigate to the "events" page, I'm served a 302 response which forwards to a login page (which returns a 200 response). So I guess their idea is to return 302 for pages that we know exist, but serve 404 for pages which may or may not exist (eg. to protect a user's privacy).

Test case 2: Google Inbox

Navigating to my inbox when I am logged out returns 302 and forwards me to a login page, similar to Facebook. I wasn't able to figure out how to make my Google+ profile private so no test data there...

Test case 3: Amazon.com

Navigating to my order history when I am logged out returns 302 and forwards me to a login page as before. Amazon has no concept of a "profile" page so I can't test that here either.

To summarize the test cases here, it seems to be best practice to return a 302 Found and forward to a login page if the user needs to log in (although I would argue 303 See Other is actually more appropriate). This is of course just in the case where a real human user needs to input a username and password in an html form. For other types of authentication (eg. basic, api key, etc), 401 Unauthorized is obviously the appropriate response. In this case there is no need to forward to a login page.


3xx means Redirect
4xx means the browser did something wrong.

There's a reason why the codes are split up the way they are - they don't mix ;)

Related

What is the difference between x86 and x64
Placing links inside markdown code blocks
ToLocaleDateString() changes in IE11
Property observers willSet and didSet; Property getters and setters
How does Content-Security-Policy work with X-Frame-Options?
Sorting columns and selecting top n rows in each group pandas dataframe
What is the difference between Keras' MaxPooling1D and GlobalMaxPooling1D functions?
What does exclusion constraint `EXCLUDE USING gist (c WITH &&)` mean?
Why does Java have support for time zone offsets with seconds precision?
How do I specify in HTML or CSS the absolute minimum width of a table cell
Entity framework - "Problem in mapping fragments"-error. Help me understand the explanations of this error
Create SQL Server CE database file programmatically