lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


On Wed, Oct 6, 2010 at 2:36 PM, Petite Abeille <petite_abeille@mac.com> wrote:
> On Oct 6, 2010, at 7:11 PM, Fabio Mascarenhas wrote:
>
>> I thought most applications would want to redirect the user to a login
>> page in case of authentication failure instead of throwing a "403
>> Forbidden" back at them
>
> 403? As in "don't even try, I'm not going to give it to you"

I think this would be a good response to a forged authentication
token, but is certainly undesirable if the token has just expired. :-)

> Or 401? As in "Ok, who are you again"?
> If 403, then authentication should make no difference, no?
>
> If 401, then this is the realm of HTTP Authentication and a custom login page would not help as the user agent will take care of
> capturing the user credential, right?

I am assuming you do not want to use HTTP authentication, just like
the typical web app. :-) For authenticated access to an API I would
suggest using something like OAuth (and I think Ignacio has an OAuth
module for Lua)...

--
Fabio Mascarenhas