I would like to know what is the best practice for informing a user that their access attempt was denied. I realize there are probably more options, but these are the methods I’m considering:
- Inform a user on a dedicated “Access Denied” page reached when my script redirects them via header(“Location:”)
- Inform a user in message in the requested dynamic page
I’d like to know the pros vs cons. Currently I can come up with these:
- Pro for redirection : possibly more obfuscated?
- Pro for message in requested page : less requests on the HTTP server?
Redirect to an error page or an error controller/action in the current request( if you are using some MVC-structure).
And also make sure that you send the correct HTTP headers(code 401 is the right one for access denied) so that a search robot or similar understands what’s going on.
What’s the point of obfuscating?
Nearly all your traffic will be used by serving content that isn’t access denied pages. So I don’t really think that’s a reason to decide for the one or the other. It’s not like users will be F5-hammering on sites they can’t access anyway.
EDIT:
To summuarize: It doesn’t really make a difference, but if you can try not to redirect and make sure that the proper headers are sent.
EDIT2:
As James Wheare pointed out in the comments it’s against the HTTP spec to redirect to an error page.
In other words: Do not redirect, but print the error directly on the page where it occured along with the proper headers.