Login/Register
Proper use of HTTP Error Codes. 550 - Why is it 5xx instead of 4xx?
Asked Answered
Solved web-applicationshttp-status-codeshttp-error
R

1

11

Today a co-worked used a 550 error on a delete action when the user doesn't have permission which at first looked to me bad because as I'm aware of, that kinda error looks like a client (aka 4xx) error to me and not a server (aka 5xx).

When looking at the description, it suggest exactly that it was used correctly. Instead of a 401 error, which I was using with some 'problems' before.

Problem of 401 error is : If user A is logged in, and try to do an action that returns a 401 it can suggest that you must 'login' since you don't have valid credentials to access that http resource. Problem with this approach is that if user is logged, server knows that he doesn't have the permission, in this case, looks like a 550 it's more appropriate but doesn't look quite to me that a 550 error should be used in this scenario.

Question is: What's the proper use (if any) of 550 error, in web based applications. I understand it's use in FTP and SMTP relay usage. If some logged in user, sends a request of an action which is not permitted, which error should be returned ?

Thanks!

Renatorenaud answered 13/5, 2013 at 15:30 Comment(1)
This is old but: As far as I know, there is no definition of an HTTP status code 550. 550 is unused in that protocol. Seems like some sort of in-house status code to me. I would use standard status codes as far as possible to make the system more flexible and portable.Communicate
X
17

5xx errors are SERVER errors. If the user doesn't have permission it should be a 4XX error.

However you're correct. A 401 error means that a user must log in to access. i.e. authentication is required.

The error you're looking for is 403 Forbidden

This has no ambiguity over whether its because a user is logged in or not. Its clear cut.

From the wiki on http error codes (http://en.wikipedia.org/wiki/List_of_HTTP_status_codes) (emphasis mine):

403 Forbidden

The request was a valid request, but the server is refusing to respond to it.[2] Unlike a 401 Unauthorized response, authenticating will make no difference.[2] On servers where authentication is required, this commonly means that the provided credentials were successfully authenticated but that the credentials still do not grant the client permission to access the resource (e.g. a recognized user attempting to access restricted content).

Again, according to the above wiki, there is no such thing as a 550 error. I suppose that you could choose to implement it yourself, but there's probably no need to be honest. It should be a server error as defined in the standards however.

Xochitlxp answered 13/5, 2013 at 15:39 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.