Project

General

Profile

Actions

Feature #26677

closed

HTTP code 401 on login failure

Added by Rémi Saurel over 7 years ago. Updated 11 months ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Accounts / authentication
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Wont fix

Description

When purposely causing a login error on Redmine, I can see (using web inspector and/or logfiles) that the HTTP return code is 200, i.e. "everything is ok", for the page that presents the error to the user.

It would be great if Redmine would return a 401 ("Unauthorized", see here: https://en.wikipedia.org/wiki/List_of_HTTP_status_codes#4xx_Client_errors).

Indeed, I think a 401 code in the webserver logs has great security value, and makes it easy to integrate with solutions such as Fail2Ban and others.

If this change were made, there should be absolutely no impact on the user.

Actions

Also available in: Atom PDF