|OT| HTTP header response for invalid form inputs?

**Janwillem Borleffs** · Oct 2 '05, 01:15 PM

Re: |OT| HTTP header response for invalid form inputs?

R. Rajesh Jeba Anbiah wrote:[color=blue]
> Is it necessary or is there any standard to send HTTP header status
> for form inputs ? Say, the user is entering invalid password in login
> form and now all the applications I have seen are just displaying
> error messages above the form (with HTTP status 200); is it necessary
> to send 401 status in this case?
>[/color]

The 401 header is generally only used with REALM authentication. When this
type of authentication isn't used, the HTTP 200 header is more appropriate,
because the page is found and the error is handled on the page itself.

Another reason for using HTTP headers is when the application responses are
interpreted by another application. A quick look at the status then will
give an indication of the success rate, without parsing the response body.

JW

**Toby Inkster** · Oct 2 '05, 02:05 PM

Re: |OT| HTTP header response for invalid form inputs?

R. Rajesh Jeba Anbiah wrote:
[color=blue]
> Is it necessary or is there any standard to send HTTP header status
> for form inputs ? Say, the user is entering invalid password in login
> form and now all the applications I have seen are just displaying error
> messages above the form (with HTTP status 200); is it necessary to send
> 401 status in this case?[/color]

A 401 response should only be used if you're using HTTP authentication.

403 Forbidden might be more appropriate here.

--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact

**R. Rajesh Jeba Anbiah** · Oct 2 '05, 03:45 PM

Re: |OT| HTTP header response for invalid form inputs?

Toby Inkster wrote:[color=blue]
> R. Rajesh Jeba Anbiah wrote:
>[color=green]
> > Is it necessary or is there any standard to send HTTP header status
> > for form inputs ? Say, the user is entering invalid password in login
> > form and now all the applications I have seen are just displaying error
> > messages above the form (with HTTP status 200); is it necessary to send
> > 401 status in this case?[/color]
>
> A 401 response should only be used if you're using HTTP authentication.
>
> 403 Forbidden might be more appropriate here.[/color]

Thanks for your inputs. I really appreciate it. Thanks again.

--
<?php echo 'Just another PHP saint'; ?>
Email: rrjanbiah-at-Y!com Blog: http://rajeshanbiah.blogspot.com/

**R. Rajesh Jeba Anbiah** · Oct 2 '05, 03:45 PM

Re: |OT| HTTP header response for invalid form inputs?

Janwillem Borleffs wrote:[color=blue]
> R. Rajesh Jeba Anbiah wrote:[color=green]
> > Is it necessary or is there any standard to send HTTP header status
> > for form inputs ? Say, the user is entering invalid password in login
> > form and now all the applications I have seen are just displaying
> > error messages above the form (with HTTP status 200); is it necessary
> > to send 401 status in this case?[/color]
>
> The 401 header is generally only used with REALM authentication. When this
> type of authentication isn't used, the HTTP 200 header is more appropriate,
> because the page is found and the error is handled on the page itself.
>
> Another reason for using HTTP headers is when the application responses are
> interpreted by another application. A quick look at the status then will
> give an indication of the success rate, without parsing the response body.[/color]

Thanks for your insights. I was wondering if HTTP status code is
necessary in form processing. Thanks again.

--
<?php echo 'Just another PHP saint'; ?>
Email: rrjanbiah-at-Y!com Blog: http://rajeshanbiah.blogspot.com/

**Umberto Salsi** · Oct 2 '05, 06:55 PM

Re: |OT| HTTP header response for invalid form inputs?

"R. Rajesh Jeba Anbiah" <ng4rrjanbiah@r ediffmail.com> wrote:
[color=blue]
> Is it necessary or is there any standard to send HTTP header status
> for form inputs ? Say, the user is entering invalid password in login
> form and now all the applications I have seen are just displaying error
> messages above the form (with HTTP status 200); is it necessary to send
> 401 status in this case?[/color]

If you are using the HTTP basic or digest authentication (RFC 2616,
2617) 401 is the correct status code if the authentication failed.

If you are using an application based authentication, you should always
return a 200 status code and a page with a human readable description of
the problem ("Invalid login, please retry. Forgot your password? Click
here!" etc. etc.).

Regards,
___
/_|_\ Umberto Salsi
\/_\/ www.icosaedro.it

**R. Rajesh Jeba Anbiah** · Oct 3 '05, 07:05 AM

Re: |OT| HTTP header response for invalid form inputs?

Umberto Salsi wrote:[color=blue]
> "R. Rajesh Jeba Anbiah" <ng4rrjanbiah@r ediffmail.com> wrote:[/color]
<snip>[color=blue]
> If you are using an application based authentication, you should always
> return a 200 status code and a page with a human readable description of
> the problem[/color]
<snip>

Thanks a lot for the explanation; this is what I was confusing with.
Thanks again.

--
<?php echo 'Just another PHP saint'; ?>
Email: rrjanbiah-at-Y!com Blog: http://rajeshanbiah.blogspot.com/

|OT| HTTP header response for invalid form inputs?

|OT| HTTP header response for invalid form inputs?

Comment

Comment

Comment

Comment

Comment

Comment