HTTP 401 - what's an appropriate WWW-Authenticate header value?

Asked 17/11, 2009 at 11:55 Answered 17/11, 2009 at 12:10

125

The application I'm working on at the moment has a session timeout value. If the user hasn't interacted for longer than this value, the next page they try to load, they will be prompted to log in.

All requests made are routed through this mechanism, which includes AJAX calls. Originally we were sending a 200 header with the login page, which introduces some problems with AJAX since code is run if a 200 response is sent, and most data sent back from these RPC calls is JSON or raw JavaScript that gets evaluated (don't ask :|).

I've suggested that a 401 is better, since our JSON parser won't try to consume an HTML login page.. :)

When reading the spec, however, I noticed that the WWW-Authenticate field must also be sent.

What is a good value for this field? Will Application Login suffice?

Cathern answered 17/11, 2009 at 11:55 Comment(0)

When indicating HTTP Basic Authentication we return something like:

WWW-Authenticate: Basic realm="myRealm"

Whereas Basic is the scheme and the remainder is very much dependent on that scheme. In this case realm just provides the browser a literal that can be displayed to the user when prompting for the user id and password.

You're obviously not using Basic however since there is no point having session expiry when Basic Auth is used. I assume you're using some form of Forms based authentication.

From recollection, Windows Challenge Response uses a different scheme and different arguments.

The trick is that it's up to the browser to determine what schemes it supports and how it responds to them.

My gut feel if you are using forms based authentication is to stay with the 200 + relogin page but add a custom header that the browser will ignore but your AJAX can identify.

For a really good User + AJAX experience, get the script to hang on to the AJAX request that found the session expired, fire off a relogin request via a popup, and on success, resubmit the original AJAX request and carry on as normal.

Avoid the cheat that just gets the script to hit the site every 5 mins to keep the session alive cause that just defeats the point of session expiry.

The other alternative is burn the AJAX request but that's a poor user experience.

Bobbi answered 17/11, 2009 at 12:10 Comment(5)

Thanks mate, I'm now using a 403 instead since it isn't a redirect and it literally includes the login form in place of the original page. It also better matches the W3 specification. Thanks for the information however. – Cathern 17/11, 2009 at 13:46

See this answer about how you can still use HTTP 401: #929374 – Joplin 30/9, 2013 at 19:59

Yes, just put anything in the WWW-Authenticate header, I suppose. Another answer in a similar vein is https://mcmap.net/q/41096/-what-should-i-pass-for-the-www-authenticate-header-on-401s-if-i-39-m-only-using-openid Or simply violate the spec and don't bother sending the header (at least a few sites do this); 401 is still more appropriate than 403. – Dogmatize 16/3, 2015 at 17:23

I'm not sure I would "just put anything" in the WWW-Authenticate header because I can't be sure if the request is handled by my ajax or the browser. Beyond the title of this question, given the detail which suggests forms based authentication, I would send no WWW-Authenticate header at all. This is because I'm not asking the browser to participate in the authentication / credential challenge thingy. I just want it to show a form which just happens to be a logon form, but with something the ajax can use to identify it is a logon form so it can handle it differently as above. – Bobbi 28/5, 2015 at 6:22

You should make up a authn scheme to use with the header. Then the browser won't get involved because it won't understand the scheme. Some clients get upset or confused if you don't include the header. – Trashy 21/3, 2016 at 10:42

No, you'll have to specify the authentication method to use (typically "Basic") and the authentication realm. See http://en.wikipedia.org/wiki/Basic_access_authentication for an example request and response.

You might also want to read RFC 2617 - HTTP Authentication: Basic and Digest Access Authentication.

Denim answered 17/11, 2009 at 12:7 Comment(0)

Recommended topics

Hot tags