Proposal for handling 403 forbidden

While I was thinking about how to structure some of my access handling code in my web app, I saw that it currently is impossible to return a 403 code when a user reaches a password protected page.

The biggest problem with returning a 403 is the way the browsers show this problem to the user. The user is interrupted with popup asking them for a username and a password.

I want to propose a way to make it possible to return a 403 and allow for people to login without getting in the way.

403 forbidden proposal

In this image you can see that when a user reaches a password protected page, that the browser shows a small bar on top of the page, that looks just like the 'Save password' bar in newer browsers.

This new bar allows users to enter their username and password for a website. It also allows the browser to assist the user by showing just a login button with a username and password already filled in.

With this approach, the web page below this bar can help the user create a new account or retrieve the password.

Please discuss below, and let me know if there are any problems with this approach.

Update 2010-09-14: Of course, the 403 page is shown when you aren't allowed to view a page. The 401 error code is used to show a login popup. Replace all mentions of 403 with 401 in the above example. Thanks, Klaas.

Welcome

My name is Peter Stuifzand. You're reading my personal website.

Profiles