HTTP code 401 on login failure
|Category:||Accounts / authentication|
When purposely causing a login error on Redmine, I can see (using web inspector and/or logfiles) that the HTTP return code is 200, i.e. "everything is ok", for the page that presents the error to the user.
It would be great if Redmine would return a 401 ("Unauthorized", see here: https://en.wikipedia.org/wiki/List_of_HTTP_status_codes#4xx_Client_errors).
Indeed, I think a 401 code in the webserver logs has great security value, and makes it easy to integrate with solutions such as Fail2Ban and others.
If this change were made, there should be absolutely no impact on the user.
#1 Updated by Holger Just over 5 years ago
The 401 status code is specifically used for Basic or Digest authentication. It has no value when using form authentication as done with Redmine.
If Redmine would return a 401 here, your browser would ask for authentication with a Basic-Auth form, similar to
This not what we want. As such, returning a 200 is okay here for the user. When querying the API, we do already return a 401 if the user did not provide any credentials along with their request. API clients are equipped to deal with this.