WordPress.org

Make WordPress Core

Changes between Initial Version and Version 1 of Ticket #25446, comment 22


Ignore:
Timestamp:
12/12/2015 11:23:59 PM (6 years ago)
Author:
RavanH
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #25446, comment 22

    initial v1  
    66> > 401 should work fine in terms of the standard, since it's not just for Basic authentication. To be really compliant, we can also send a WWW-Authenticate header
    77
    8 Although I'm all for a switch to a 401 response (because it would make it easier for server processes like fail2ban to recognise a brute force attack from access logs) I don't agree that it's - strictly speaking - a correct response. Be aware that the current 200 response (either on first access or on failed login) is the response that comes after requesting wp-login.php. This is the login that is and should always be accessible without authentication. It should therefore always respond with 200 status. Sending a 401 status response is essentially saying the client is not authorized to access the resource.
     8Although I'm all for a switch to a 401 response (because it would make it easier for server processes like fail2ban to recognise a brute force attack from access logs) I don't agree that it's - strictly speaking - a correct response. Be aware that the current 200 response (either on first access or on failed login) is the response that comes after requesting wp-login.php. This is the login page that is and should always be accessible without authentication and should therefore always respond with 200 status. Sending a 401 status response is essentially saying the client is not authorized to access the resource.
    99
    1010Imagine having to authenticate before access the authentication form is granted? That would be a nice catch-22 :D