When a web page offers content that require the user to log in there are two ways to have them authenticate themselves:
The web application stores the URL, then redirects to a separate login page, then upon a successful authentication it redirects back to the stored URL;
Instead of the protected content the page displays the login form (staying at the same URL), and after a successful login action the page refreshes and the real content appears.
I'd like to know the following:
- If I go with option 1 what would be the correct http status code to use? (302 is probably the correct one, so I am listing this question here only for the sake of completeness.)
- What would be the appropriate http status code for option 2? 401 is tempting but I don't wish to use http authentication.
- A sub-question: why is http authentication so uncommon?
- How can I ensure that crawlers won't associate the protected content's title, keywords, description and other meta data with the login form?
And actually this is what I'd really like to know:
- Do http status codes matter in above cases at all? Are there any pragmatic benefits from using proper status codes?