Proper HTTP headers for login success / fail responses?

unicorn_crack picture unicorn_crack · Aug 15, 2011 · Viewed 10.8k times · Source

Are there any standards for using HTTP headers for login success / fail responses?

Answer

uncovery picture uncovery · Aug 17, 2011

The header that the server sends is either the 200 OK or 401 denied status codes on success or failure.

See http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html Section 10.4.2 401 Unauthorized for this.

When sending the 401, the server must send a

WWW-Authenticate = "WWW-Authenticate" ":" 1#challenge

to indicate what scheme should be used to authenticate.

See http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html Section 14.47 WWW-Authenticate for this.