All geek questions in one place

Proper use of HTTP error codes. 550 - Why is it 5xx instead of 4xx?

Today, collaboration used error 550 with the delete action, when the user does not have permission, which at first looked bad, because, as I know, this error looks like a client (aka 4xx) error for me, not a server (aka 5xx).

When looking at the description, it suggests exactly that it was used correctly. Instead of error 401, which I used to use with some "problems".

Problem with error 401: if user A is logged in and is trying to perform an action that returns 401, he may assume that you should "log in" because you do not have valid credentials to access this HTTP resource. The problem with this approach is that if the user is registered, the server knows that he does not have permission, in this case he looks like more suitable, but it does not quite seem to me that in this case you should use the 550 error script.

Question: What is the correct use (if any) of 550 errors in web applications. I understand that this is used when using FTP and SMTP relays. If any registered user sends an action request that is not allowed, what error should be returned?

Thanks!

+4
source share
1 answer

5xx errors are SERVER errors. If the user does not have permission, this should be a 4XX error.

However, you are right. Error 401 means the user must be logged in to access. that is, authentication is required.

The error you are looking for is 403 Forbidden

It has no ambiguity as to whether it is that the user is logged in or not. Its clear reduction.

From the wiki for http error codes ( http://en.wikipedia.org/wiki/List_of_HTTP_status_codes ) (my attention):

403 Forbidden

The request was valid, but the server refuses to respond to it. [2] Unlike the 401 Unauthorized Response, authentication will be no difference. [2] On servers where authentication is required, this usually means that the provided credentials were successfully authenticated , but that the credentials still do not provide the client with permission to access the resource (for example, a recognized user trying to access restricted content) .

Again, according to the above wiki, there is no such error as error 550. I believe that you could implement it yourself, but probably there is no need to be honest. However, this should be a server error, as defined in the standards.

+7
source

Source: https://habr.com/ru/post/1480517/

More articles:


All Articles