{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 做个烂人 的问题《What http status code is supposed to be used to te》','https://www.manongdao.com/q-110377.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
In a webpage, it uses YUI connection manager/datasource to send AJAX requests to the server, if the session (which contains the info on whether the user has been authenticated) has already timed out, those ajax responses that can only be viewed by authenticated users should return an http status code, telling the client that the session has already timed out, then the client either simply redirects him to the login page or asks him if he wants to extend the session.
My question is that, in this situation, what http status code is the most appropriate to tell the client the session has timed out?
Best I can suggest is a HTTP 401 status code with a WWW-Authenticate header.
The problem with 403 requests is the the RFC 2616 states "Authorization will not help and the request SHOULD NOT be repeated." (i.e. doesn't matter if you are authenticated or not, you are not going to get access to that resource, ever).
The problem with 401 requests is it states they "MUST include a WWW-Authenticate header field". As someone has noted it doesn't appear to be in violation of the spec to use a custom value in a WWW-Authenticate header.
I can't see any reason in RFC 2617 why an HTTP 401 status combined with a custom WWW-Authenticate header like this wouldn't be okay:
The oAuth spec actually seems to do just this, as they recommend this (though they have to my mind an odd interpretation of the RFC):
This doesn't appear to be specifically SANCTIONED by the RFC, but I can't actually see that it's forbidden by it (it doesn't seem to conflict with any MUST or MUST NOT, SHOULD or SHOULD NOT condition).
I wish there was a more specific HTTP status code for timeouts and for things like CSRF tokens being invalid so this was clearer.
Code 408. "Request timeout", seems perfect -- RFC 2616 explains it means
i.e., exactly a "time-out", just as you require!
As you post a link, in that link i found this HTTP status code 440. you can use 440 HTTP status code for session expired.
440 Login Time-out
401 Unauthorized we can use when, user login credential is wrong. or auth token passed in header is invalid.
403 Forbidden we can use this when user does not has specific permission for requested resource.
So in my opinion we should use 440 Login Time-out.
I would recommend an HTTP 401.
Whereas a 403 basically says, "You're not allowed, go away and don't come back", a 401 says, "We don't know if you're allowed or not because you didn't bring your ID. Go get it and try again."
Compare Wikipedia's definitions: