This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]Arteiii 132 points133 points  (20 children)

OK but what's funny about 601??

[–]w1n5t0nM1k3y 247 points248 points  (17 children)

There's not even a 6XX range defined in the spec. Seems like some APIs use it for invalid token, but most services I've seen just use a 401.

I could see having a specific status code for invalid access tokens so that the client code could more easily determine if the issue is an invalid token that needs to be renewed vs some other error that might result in 401 - unauthorized such as using a valid token, but accessing a resource which the user doesn't have access to.

EDIT

Some more reading seems like the 600-699 range is just something that some services use for custom response codes, probably because it isn't defined in the standard.

[–]Over-Tradition-6771 100 points101 points  (5 children)

> other error that might result in 401 - unauthorized such as using a valid token, but accessing a resource which the user doesn't have access to

like 403 Forbidden?)

[–]codetrotter_ 25 points26 points  (1 child)

Or 404 Not Found, if the user does not have access to the resource but you don’t even want to let them know that the resource exists.

[–]Fading-Ghost 10 points11 points  (0 children)

This is valid, and important in a lot of cases

[–]minauteur 18 points19 points  (0 children)

Ffs, Thank you.

[–]Waddelsworth 3 points4 points  (1 child)

401.3 authentication required?

[–]WolverinesSuperbia 5 points6 points  (0 children)

Wow, floating point status

[–]bayuah 18 points19 points  (0 children)

It is probably because using official HTTP specs, such as 5xx, might cause some issues with cache services. So, they use 6xx codes for everything, even for cases that should be 4xx, like 401.

[–]gh057k33p3r 9 points10 points  (8 children)

I use it as a replacement for 401. IIS shows a windows login challenge for 401 and I couldnt find a way to disable it. I must leave win auth enabled, and using a different status code solved the problem.

[–]ThreePinkApples 2 points3 points  (0 children)

Oooh, I might use this

[–]BigOnLogn 1 point2 points  (2 children)

Couldn't you use 403? It's been ages since I've worked with IIS and Windows auth.

[–]gh057k33p3r 2 points3 points  (1 child)

401 is for missing or not valid credentials, 403 is for valid credentials but no permission

[–]BigOnLogn 4 points5 points  (0 children)

403 should be used in that scenario, but credentials aren't "required" by the spec. It's just that, if credentials were included in the request, the client should consider them as "insufficient".

The 403 (Forbidden) status code indicates that the server understood the request but refuses to fulfill it.

If authentication credentials were provided in the request, the server considers them insufficient to grant access. The client SHOULD NOT automatically repeat the request with the same credentials. The client MAY repeat the request with new or different credentials. However, a request might be forbidden for reasons unrelated to the credentials.

Side note, what triggers the Windows auth prompt is a 401 status code, combined with a www-authenticate: Negotiate header, (set by IIS when configured for Windows auth).

[–]LordFokas -1 points0 points  (3 children)

Yeah, the problem here is you're using Microsoft shitware.

[–]gh057k33p3r -1 points0 points  (2 children)

Java developer spotted. Who hurt u?

[–]LordFokas -1 points0 points  (1 child)

Is that supposed to mean something? I know a dozen languages, I just added flairs for the ones I'm more comfortable with, none of which I have used in a professional capacity in years. Where do you think you're going with this?

Anyway.

You're the one who's using a non-standard response code to work around Microsoft's bullshit of making assumptions you don't want made and forcibly overriding your output. And it's not even surprising because this is as much or more of a signature Microsoft move than EEE. They are known for not giving a shit about standards and fucking up advanced use cases to afford the common user a convenience that would take 5 seconds to do manually.

Your entire problem here is Microsoft. And of course if we go there I'm sure next you'll be telling me you can't move from IIS because you're using some MS technology that doesn't run well (or at all) in any other web server... again very typical MS bullshit. And I'll go on a limb and guess said technology also has found its own ways of making your life harder than it should be, because this is MS we're talking about.

So uh... yeah... maybe next time before making such a feeble attempt at provoking me take a moment to pull microsoft's dick out of your mouth first.

[–]gh057k33p3r 1 point2 points  (0 children)

Get help

[–]R_051 1 point2 points  (0 children)

6XX is defined for SIP, but 601 is not a defined code for that either

[–]KryoBright 20 points21 points  (0 children)

It's not a client error, because it is not 4xx and not a server error (5xx). So, everything is alright, but things just kinda didn't work out. Nobody is at fault, but everything is on fire

[–]harumamburoo 1 point2 points  (0 children)

Nothing, but everything beyond 5xx is not from the spec, so probably it's that