是否确定返回 HTTP 401 的，如果你想表达的是没有登录用户，即使登录机制是基于表单的，而不是一个AJAX调用的响应状态基于HTTP（基本，摘要等。）？

Is it OK to return an HTTP 401 status for a response to an AJAX call if you wish to convey that the user is not logged in, even though the login mechanism is form-based and not HTTP based (Basic, Digest, etc.)?

答案在这里建议401应使用： http://stackoverflow.com/a/6937030/2891365

The answer here suggests that 401 should be used: http://stackoverflow.com/a/6937030/2891365

和这篇文章显示某人使用401 Ajax响应的一个实际的例子：http://www.bennadel.com/blog/2228-some-thoughts-on-handling-401-unauthorized-errors-with-jquery.htm

And this post shows an actual example of someone using 401 for an AJAX response: http://www.bennadel.com/blog/2228-some-thoughts-on-handling-401-unauthorized-errors-with-jquery.htm

然而， RFC 2616 HTTP / 1.1 明确指出，一个特殊的头是必要的，言下之意的，它只能被用于HTTP认证

However, RFC 2616 for HTTP/1.1 clearly states that a special header is necessary, implying that it can only be used for HTTP authentication.

10.4.2 401未经授权

请求要求用户身份验证。响应必须包含一个 WWW验证 的包含适用于请求的资源是一个挑战头域（第14.47）。

The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.47) containing a challenge applicable to the requested resource.

我想我或许可以发送一个伪造的标题如 WWW验证：Web窗体，并且仍然符合W3C规范，但感觉像它违反了 WWW验证头。

I guess I can probably send a bogus header like WWW-Authenticate: WebForm and still conform to W3C specs but it feels like it's violating the spirit of the WWW-Authenticate header.

在最后，我似乎无法找到明确规定HTTP 401是否允许AJAX响应的权威来源。有没有办法，我错过了这个权威渠道？

In the end, I cannot seem to find an authoritative source that explicitly states whether HTTP 401 is allowed for AJAX responses. Is there an authoritative source on this that I missed?

推荐答案

我会说这是不正常，因为401是告诉客户端提供的HTTP身份验证凭据。适当的反应将是403禁止，只是告诉客户这是不允许访问资源，无论出于何种原因。

I would say it's not ok since 401 is for telling the client to provide http authentication credentials. The proper response would be 403 Forbidden, simply telling the client it's not allowed to access the resource, for whatever reason.