The definition of HTTP 401 from MDN:
The HTTP 401 Unauthorized client error status response code indicates that the request has not been applied because it lacks valid authentication credentials for the target resource.
This status is sent with a WWW-Authenticate header that contains information on how to authorize correctly.
This status is similar to 403, but in this case, authentication is possible.
The definition of HTTP 403 from MDN
The HTTP 403 Forbidden client error status response code indicates that the server understood the request but refuses to authorize it.
This status is similar to 401, but in this case, re-authenticating will make no difference. The access is permanently forbidden and tied to the application logic (like an incorrect password).
If user not logged in of the authentication expired, he should login again, so maybe he can access the resource. But HTTP 403 means you can't access the resource no matter what you do, I think HTTP 401 is more suitable.
401 is for the HTTP Authentication/WWW-Authenticate protocol. From RFC 7235 section 3.1, 401 responses MUST include a WWW-Authenticate header. The cookie/redirect-based protocol used by the @authenticated decorator doesn't use WWW-Authenticate, so it shouldn't use 401.
If you want a protocol that uses 401/WWW-Authenticate, you'll need to use your own decorator instead of @tornado.web.authenticated.
Thanks for the detailed explanation. It's clear now. :)
Most helpful comment
401 is for the HTTP Authentication/WWW-Authenticate protocol. From RFC 7235 section 3.1, 401 responses MUST include a WWW-Authenticate header. The cookie/redirect-based protocol used by the
@authenticateddecorator doesn't useWWW-Authenticate, so it shouldn't use 401.If you want a protocol that uses 401/WWW-Authenticate, you'll need to use your own decorator instead of
@tornado.web.authenticated.