Should a failed login attempt result in a HTTP 401 response? Doesn’t seem like all the major sites do this.
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Should a failed login attempt result in a HTTP 401 response? Doesn’t seem like all the major sites do this.
I think it depends on the type of authentication in use.
If you look at the same source that @Jan Vorcak cited (RFC 2616), it says that the 401 response “MUST include a WWW-Authenticate header field (section 14.47) containing a challenge applicable to the requested resource.” That refers (as has been posted since I started typing this answer) to the HTTP authentication schemes based on RFC 2617. Few sites intended for the general public use seem to use these authentication methods anymore. So, since the WWW-Authenticate header is meaningless, it should not be included, which means that returning a 401 error violates RFC 2616.
So, in most cases, I think the answer is “no.”