Is it better to redirect to another page / document using HTTP headers or enable a dynamic message to inform users of denied access?
I would like to know what is the best practice for informing the user that their access attempt was denied. I realize that there are probably more options out there, but these are the methods I am considering:
- Notify the user on the dedicated page "Access Denied" when my script redirects them via header ("Location:")
- Inform the user in a message on the requested dynamic page
I would like to know the pros and cons. Currently I can think of the following:
- Pro for redirection: perhaps more confusing?
- Pro for post on requested page: fewer requests on HTTP server?
source to share
Redirect to the error page or error controller / action in the current request (if you are using some MVC framework).
And also make sure you are sending the correct HTTP headers (401 is the correct code for denied access) so that the crawler or the like understands what's going on.
1.
Pro for redirection: perhaps more confusing?
What's the confusion point?
2.
Pro for post on requested page: fewer requests on HTTP server?
Almost all of your traffic will be used by displaying content that does not have access to your personal pages. So I really don't think there is a reason for deciding one or the other. It's not like users will be F5 hammer on sites they can't access.
EDIT: To judge: it doesn't really matter, but if you can try not to redirect and make sure the appropriate headers are sent.
EDIT2: As James Weire pointed out in the comments on the HTTP spec, redirecting to an error page. In other words: not redirect, but print the error directly on the page where it happened along with the corresponding headers.
source to share
I would highly recommend a redirect for the simple reason that the original url is no longer editable.
If I made a typo in the url:
http://example.com/users/jwheared
And redirected to:
http://example.com/denied
Now I have more trouble to fix my typo:
http://example.com/users/jwheare
The same principle applies to 404 or any other error page. Also, if it's a temporary server error, redirecting to a different url removes the option to wait a bit and then just refresh the page later.
In addition to this user-centric advisor, the error page should be submitted with the appropriate HTTP error code (possibly 401 Unauthorized as mentioned in other answers).
It is best to follow the HTTP specification and none of the 3xx redirect status codes apply to the situation you describe.
Edit: Another important point is that this could potentially damage your search engine performance. If a crawler visits an unauthorized page and receives a redirect, they will see all of your unauthorized pages as one and potentially increase the rank of the error page. If you are submitting the correct error headers, then the crawler is more likely to correctly identify that URL as unauthorized and will simply ignore it.
Internet scanners are often dumb clients that implement the minimum level of the HTTP specification. It pays to think about them, as well as the people using the web browser.
source to share
What percentage of your failed passwords are illegal access attempts, and what percentage are bad passwords? If it's mostly the former, yes, redirect them to a separate HTTP page if you think that would make them more awkward.
On the other hand, if you just post a message on one page, you make it much easier for the right customers to enter the correct password.
source to share