[Catalyst] Re: Http Status Chart
Aristotle Pagaltzis
pagaltzis at gmx.de
Thu Mar 13 04:31:35 GMT 2008
* Andrew Rodland <arodland at comcast.net> [2008-03-12 05:55]:
> Anyway, you get a 401 if the server doesn't know who you are,
> and it thinks that if you were the right person you might be
> able to perform that action. You get a 403 if you're not
> allowed to do that despite who you may or may not be.
Exactly. 401 means “use a different set of credentials and try
again”; 403 means “go away, you don’t get to see this.”
So when would 403 happen? F.ex. if access to the resource is
restricted to certain IP ranges, and you are requesting the
resource from an IP outside of those. Or in case of Apache, you
are asking for a URI that’s served from the file system, but the
web server does not have permission to read that file. Or you
request a URI with a trailing slash, but the corresponding
directory has no `index.html` and the server is not configured
to generate directory listings.
Etc.
Note that RFC 2616 also says that the web server is allowed
to send 404 instead of 403 when it doesn’t want to reveal the
existence of a particular resource to third parties.
Regards,
--
Aristotle Pagaltzis // <http://plasmasturm.org/>
More information about the Catalyst
mailing list