Home/ Questions/Q 7848037
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-02T18:04:09+00:00

We have a login REST service: POST /sessions When the users password has expired

  • 0

We have a login REST service:

POST /sessions

When the users password has expired the next thing that must happen is that the client application will present a change dialog window and then change the users password via:

PUT /users/_ID_/password

What is the best way to communicate this intent to the client? At first I wanted to have POST /sessions return See Other (303). But this causes a GET on /users/_ID_/password. I could return a Multiple Choices (300) response which the client does not do an automatic get on, or I could return an OK (200) and tag in the JSON session object returned.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Having a look at the HTTP status code definitions, I’m thinking the following is the best fit:

    409 Conflict

    The request could not be completed due to a conflict with the current
    state of the resource. This code is only allowed in situations where
    it is expected that the user might be able to resolve the conflict and
    resubmit the request. The response body SHOULD include enough information for the user to recognize the source of the conflict.
    Ideally, the response entity would include enough information for the
    user or user agent to fix the problem

    There is a conflict with the current state of the session resource because the user needs to change their password before being able to create a session. You can return the url to the change password screen in this response so that the client knows where to go to fix the conflict.

    • 0