I am writing a HTTP service. I want the status codes to distinguish between two states:
- user is not logged-in
- user is logged-in but may not perform a given action
It seems like HTTP 403 Forbidden obviously covers case #2, but for case #1 I am not sure. Reading the list it looks like HTTP 401 Unauthorized is suitable but according to this
The response must include a WWW-Authenticate header field containing a challenge applicable to the requested resource.
My service cannot fulfil this requirement.
My service will be accessed from XMLHttpRequest in browser Javascript. Does it matter if I abuse the protocol and return 401 without WWW-Authenticate? Or is there a more suitable (standards-compliant) way for the service to say "you are not logged-in and I am not going to tell you how"?