HTTP status code for missing authentication

HTTP defines the status 401 Unauthorized for missing authentication, but this status only applies to HTTP auth开发者_Python百科entication. What status should I return with a session cookie based system, when an unauthorized request happens?

Formally, 403 Forbidden is the right response. It's defined as

Authorization will not help and the request SHOULD NOT be repeated.

The confusing part may be "Authorization will not help", but they really mean "HTTP authentication" (WWW-Authenticate)

403 I believe is technically correct (and probably most effective if you are implementing a custom API / protocol).

401 is not appropriate as it refers to authorization with a WWW-Authenticate header, which a session cookie is not.

If this is a public facing website where you are trying to deny access based on a session cookie, 200 with an appropriate body to indicate that log in is needed or a 302 temporary redirect to a log in page is often best.