HTTP status code for missing authentication

Question

HTTP defines the status 401 Unauthorized for missing authentication, but this status only applies to HTTP authentication. What status should I return with a session cookie b

Answer 1

Formally, 403 Forbidden is the right response. It's defined as

Authorization will not help and the request SHOULD NOT be repeated.

The confusing part may be "Authorization will not help", but they really mean "HTTP authentication" (WWW-Authenticate)