[wp-trac] [WordPress Trac] #25446: Return HTTP status code 401 upon failed login
WordPress Trac
noreply at wordpress.org
Sat Dec 12 23:22:01 UTC 2015
#25446: Return HTTP status code 401 upon failed login
------------------------------------+------------------------------
Reporter: raoulbhatia | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Login and Registration | Version: 3.6
Severity: normal | Resolution:
Keywords: needs-patch | Focuses:
------------------------------------+------------------------------
Comment (by RavanH):
Replying to [comment:21 swissspidy]:
> As per #6:
>
> > 401 is the correct error to return here.
>
> > 401 should work fine in terms of the standard, since it's not just for
Basic authentication. To be really compliant, we can also send a WWW-
Authenticate header
Although I'm all for a switch to a 401 response (because it would make it
easier for server processes like fail2ban to recognise a brute force
attack from access logs) I don't agree that it's - strictly speaking - a
correct response. Be aware that the current 200 response (either on first
access or on failed login) is the response that comes after requesting wp-
login.php. This is the login that is and should always be accessible
without authentication. It should therefore always respond with 200
status. Sending a 401 status response is essentially saying the client is
not authorized to access the resource.
Imagine having to authenticate before access the authentication form is
granted? That would be a nice catch-22 :D
This confusion is why I proposed to change the whole login logic (redirect
form /wp-admin/ to the login page, then a redirect back to admin after
succes) to something simpler that indeed would warrant a 401 response when
access to a particular resource is not granted. See my TL;DR reply above
;)
--
Ticket URL: <https://core.trac.wordpress.org/ticket/25446#comment:22>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list