This might be a close relative question to Correct HTTP status code for login form?. Whether your login has expired or whether you have never had one should make no difference.
The answers given on that other question where:
- 400 - accepted answer and I strongly disagree with it.
- 401 - with a WWW-Authenticate header which may contain anything, it doesn't matter, browsers should (!?) ignore it if you do not put a basic or digest authentication challenge here.
But what I am missing is the real distinction as to how the login form is being delivered. It can be either
* injected as a response to the current request (that is what the 401 answer was suggesting to do)
* or delivered with a redirect, e.g. 302 to a login page, which, once completed dialogue, will redirect back to the original request.
I have for 10 years run my application with 302 redirect to login page. But I do not like it any more. I want to return 401 so that my scripted agents, REST, etc. will do their stuff properly.
So, what needs to be done to really settle this question is to check how browsers behave when getting a 401 response with WWW-Authentication header that does not have a digest or basic challenge. If they always bring up their dialogue then it's a no-go no matter what we think would be the right and proper way of doing things.
I also need to send 401 with a Location: header and see if the browsers would redirect.
