Why SessionAuthentication in Django REST Framework never returns HTTP401

Question

Why SessionAuthentication in Django REST Framework never returns HTTP401

Looking at the docs and source from the Django REST Framework, I see that SessionAuthentication

only HTTP returns 403, while other classes Authentication

return 401. What is the reason for this?

Of course, there are many cases where 401 makes sense .

The problem is especially problematic because "the first authentication type set on the view is used in determining the response type." and SessionAuthentication

is first class by default Authentication

.

+3

django django-rest-framework

Alex Rothberg 28 oct. 14 at 4:36 am

source to share

1 answer

Kevin brown · Answer 1 · 2014-10-28T12:19:32+0000

Django REST Framework adheres to the HTTP specification and does not return a 401 response when the class Authentication

does not return WWW-Authenticate

, which you can use.

HTTP 401 responses should always include a header WWW-Authenticate

that tells the client how to authenticate. HTTP 403 responses do not include a header WWW-Authenticate

.

- Django REST Framework Documentation

Since the class SessionAuthentication

does not define a header WWW-Authenticate

that can be used, Django REST Framework cannot return 401 responses and still follow the spec. You can get around this by installing another class Authentication

that maintains a header at the top of your list, eg BasicAuthentication

.

Why SessionAuthentication in Django REST Framework never returns HTTP401

More articles: