I suggest you ...

Differntiate between Unauthenticated access and Unauthorized access

In the ASP.NET security model, the documentation goes out of its way to talk about the difference between Authorization and Authentication.

Unfortunately, the framework itself makes no such distinction. It treats an unauthenticated user access the same as a user who does not have authorization and returns the same error.

I realize this is probably a result of the fact that most web servers treat file access errors as 403's, because HTTP doesn't really give you any other status code, and you want to differentiate between server oriented 403's and framework generated 403's, but there must be a better way of dealing with this.

I suggest that the framework should not respond with a 401 if the user is authenticated, but rather a 403.something code maybe.

4 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    I agree to the terms of service
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Nobody RealNobody Real shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    1 comment

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)
      Submitting...
      • Nobody RealNobody Real commented  ·   ·  Flag as inappropriate

        I'm really talking more about FormsAuthentication here I think. I believe the HTTP standard intends that the user be able to enter different credentials if they are unauthorized... But that's not the way most people intend security to work.. maybe a mode of operation?

      Feedback and Knowledge Base