Bug #55966
closedIf the login is not succesful a 401 header should NOT be used instead of a 200
100%
Description
http://forge.typo3.org/issues/51803 should be reverted as it introduces a Bug instead of fixing anything.
HTTP Status codes are for HTTP and not for the application using it.
Simply sending a 401 status code does not only conflict with RFC 2616 which says
10.4.2 401 Unauthorized
The request requires user authentication. The response MUST include a
WWW-Authenticate header field (section 14.47) containing a challenge
applicable to the requested resource.
which fe_login doesn't do, but it also breaks HTTP authentication (tested in Chrome, should work in any RFC compliant Browser).
To reproduce this, place a login box on any site that also requires HTTP-Authentication and try to log in with the wrong credentials. You are not only presented the TYPO3-Login error but also the browser dialog asking you for your HTTP-Credentials.
Affected versions: 4.5 - master