Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
According to RFC2616 if I return 401 in response to a request to my (Ruby) server, I “MUST include a WWW-Authenticate header field.” Is this really true? Not setting the header seems to have no negative impact. I’m using Merb as a web framework and it doesn’t force me to set the header.
Am I missing something or is this a rule more honoured in the breach?
The issue is whether you expect users to be able to navigate from the 401 failure to a successful authentication going forward. If you fail to provide a WWW-Authenticate header, then you are changing the meaning of the 401 from ‘You must supply credentials’ to ‘we don’t like your kind around here’. This might be fine for your purposes, but the inherent impoliteness in the concept of rejecting credentials without offering a way to fix the problem is the root behind the ‘MUST’.