Programmer Humor

30886 readers

1365 users here now

Welcome to Programmer Humor!

This is a place where you can post jokes, memes, humor, etc. related to programming!

For sharing awful code theres also Programming Horror.

Rules

Keep content in english
No advertisements
Posts must be related to programming or programmer topics

founded 2 years ago

MODERATORS

anzo@programming.dev

Feyter@programming.dev

BurningTurtle@programming.dev

pylapp@programming.dev

449

The mist of the www (feddit.org)

submitted 1 day ago by NichEherVielleicht@feddit.org to c/programmer_humor@programming.dev

84 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] wheezy@lemmy.ml 11 points 1 day ago (2 children)

Wouldn't unauthorized only be meant for AFTER a login is successful?

Like, the user should have to have an active session first. Maybe you're just talking about that case though.

[–] bountygiver@lemmy.ml 1 points 1 hour ago (1 children)

unauthorized (403) is still valid for unlogged in as you can permit anonymous access to certain resources.

unauthenticated (401) is for when you should be redirecting the user to the login page

[–] wheezy@lemmy.ml 1 points 1 hour ago* (last edited 1 hour ago)

Thanks. I think I might have been misreading these in my head. Dyslexia is a dickhead. The number codes really helped.

[–] smeg@feddit.uk 4 points 1 day ago (1 children)

Maybe I meant unauthenticated. What is this, mandatory cybersecurity education!?

[–] wheezy@lemmy.ml 2 points 1 day ago* (last edited 1 day ago)

I'm not sure. I was actually asking. And I'm not even sure enough to tell if this is a joke reply you're making or not. Lol.

I just assume the process is to start a general session. Rather than accessing the request to the resource directly.

So, I guess it would be abstracted a bit though. The user COULD be successful at starting the session. Get a success response to redirect to the resource they are trying to reach AFTER the session starts. Then once they are logged in their privileges are checked on that resource. Either returning an unauthorized response or the actual content.

So, I'd guess this is (at minimum) a two step process. Though from a user perspective they just login and get the resource.

If the login fails it's just a single response. I'd guess for security just a 200 response but with no session token or response.

Honestly, I'm just typing this for my brain to try to remember the small amount of work I did with Redfish and RESTful stuff awhile back.

But, you are right. There isn't a reason to give the user html error codes that can tell them anything more than they should know. Without a user session or without user privileges it's just telling users more than they should. Redirecting to a 404 page with the same generic response is probably best practice. As long as it's consistent.