Changes between Initial Version and Version 1 of Ticket #25446, comment 22
- Timestamp:
- 12/12/2015 11:23:59 PM (9 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #25446, comment 22
initial v1 6 6 > > 401 should work fine in terms of the standard, since it's not just for Basic authentication. To be really compliant, we can also send a WWW-Authenticate header 7 7 8 Although I'm all for a switch to a 401 response (because it would make it easier for server processes like fail2ban to recognise a brute force attack from access logs) I don't agree that it's - strictly speaking - a correct response. Be aware that the current 200 response (either on first access or on failed login) is the response that comes after requesting wp-login.php. This is the login that is and should always be accessible without authentication. Itshould therefore always respond with 200 status. Sending a 401 status response is essentially saying the client is not authorized to access the resource.8 Although I'm all for a switch to a 401 response (because it would make it easier for server processes like fail2ban to recognise a brute force attack from access logs) I don't agree that it's - strictly speaking - a correct response. Be aware that the current 200 response (either on first access or on failed login) is the response that comes after requesting wp-login.php. This is the login page that is and should always be accessible without authentication and should therefore always respond with 200 status. Sending a 401 status response is essentially saying the client is not authorized to access the resource. 9 9 10 10 Imagine having to authenticate before access the authentication form is granted? That would be a nice catch-22 :D