id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
4354	Django misuses the HTTP 401 Unauthorized header (either requires a WWW-Authenticate header or modification to return 403 Forbidden)	nslater@…	Adrian Holovaty	"http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html

{{{
10.4.2 401 Unauthorized

The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.47) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8). If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user SHOULD be presented the entity that was given in the response, since that entity might include relevant diagnostic information. HTTP access authentication is explained in ""HTTP Authentication: Basic and Digest Access Authentication"" [43]. 
}}}

See ''contrib/auth/handlers/modpython.py'':

{{{
def authenhandler(req, **kwargs):
    ...
    return apache.HTTP_UNAUTHORIZED
}}}

Django should not be using this response without also returning a correct WWW-Authenticate header field. The only response that makes sense in this context is a 403 Forbidden response as the authentication mentioned in the HTTP RFC is specifically HTTP authentication and not through the use of cookies."		closed	Core (Other)	dev		invalid			Accepted	0	0	0	0	0	0