* Andrew Rodland <[EMAIL PROTECTED]> [2008-03-12 05:55]: > Anyway, you get a 401 if the server doesn't know who you are, > and it thinks that if you were the right person you might be > able to perform that action. You get a 403 if you're not > allowed to do that despite who you may or may not be.
Exactly. 401 means “use a different set of credentials and try again”; 403 means “go away, you don’t get to see this.” So when would 403 happen? F.ex. if access to the resource is restricted to certain IP ranges, and you are requesting the resource from an IP outside of those. Or in case of Apache, you are asking for a URI that’s served from the file system, but the web server does not have permission to read that file. Or you request a URI with a trailing slash, but the corresponding directory has no `index.html` and the server is not configured to generate directory listings. Etc. Note that RFC 2616 also says that the web server is allowed to send 404 instead of 403 when it doesn’t want to reveal the existence of a particular resource to third parties. Regards, -- Aristotle Pagaltzis // <http://plasmasturm.org/> _______________________________________________ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/