Correct http status code for resource which requires authorization

Question

There seems to be a lot of confusion about the correct http status code to return if the user tries to access a page which requires the user to login.

So basically what

Answer 1

Agreed. REST is just a style, not a strict protocol. Many public web services deviate from this style. You can build your service to return whatever you want. Just make sure your clients know how what return codes to expect.

Personally, I have always used 401 (unauthorized) to indicate an unauthenticated user has requested a resource that requires a login. I then require the client application to guide the user to the login.

I use 400 (bad request) in response to a logon attempt with invalid credentials.

HTTP 302 (moved) seems more appropriate for web applications where the client is a browser. Browsers typically follow the re-direct address in the response. This can be useful for guiding the user to a logon page.