When a web page offers content that require the user to log in there are two ways to have them authenticate themselves:
-
The web application stores the URL, then redirects to a separate login page, then upon a successful authentication it redirects back to the stored URL;
-
Instead of the protected content the page displays the login form (staying at the same URL), and after a successful login action the page refreshes and the real content appears.
I’d like to know the following:
- If I go with option 1 what would be the correct http status code to use? (302 is probably the correct one, so I am listing this question here only for the sake of completeness.)
- What would be the appropriate http status code for option 2? 401 is tempting but I don’t wish to use http authentication.
- A sub-question: why is http authentication so uncommon?
- How can I ensure that crawlers won’t associate the protected content’s title, keywords, description and other meta data with the login form?
And actually this is what I’d really like to know:
- Do http status codes matter in above cases at all? Are there any pragmatic benefits from using proper status codes?
You want to use option 1. The reason for this is if you show the form on every URL that requires a login you’ll have two problems:
Using a 302 redirect would be the correct way to do this as you have already discovered. And using the proper status codes does matter. Search engines interpret their meaning and sending the wrong status code could cause negative consequences. Since sending the proper HTTP status code is easy to do it definitely is worth doing.