Differntiate between Unauthenticated access and Unauthorized access
In the ASP.NET security model, the documentation goes out of its way to talk about the difference between Authorization and Authentication.
Unfortunately, the framework itself makes no such distinction. It treats an unauthenticated user access the same as a user who does not have authorization and returns the same error.
I realize this is probably a result of the fact that most web servers treat file access errors as 403's, because HTTP doesn't really give you any other status code, and you want to differentiate between server oriented 403's and framework generated 403's, but there must be a better way of dealing with this.
I suggest that the framework should not respond with a 401 if the user is authenticated, but rather a 403.something code maybe.
Please see the new security model in ASP.NET 5. https://docs.asp.net/en/latest/security/index.html has more details.
Nobody Real commented
I'm really talking more about FormsAuthentication here I think. I believe the HTTP standard intends that the user be able to enter different credentials if they are unauthorized... But that's not the way most people intend security to work.. maybe a mode of operation?