Proposal for handling 403 forbidden

While I was thinking about how to structure some of my access handling code in my web app, I saw that it currently is impossible to return a 403 code when a user reaches a password protected page.

The biggest problem with returning a 403 is the way the browsers show this problem to the user. The user is interrupted with popup asking them for a username and a password.

I want to propose a way to make it possible to return a 403 and allow for people to login without getting in the way.

403 forbidden proposal

In this image you can see that when a user reaches a password protected page, that the browser shows a small bar on top of the page, that looks just like the 'Save password' bar in newer browsers.

This new bar allows users to enter their username and password for a website. It also allows the browser to assist the user by showing just a login button with a username and password already filled in.

With this approach, the web page below this bar can help the user create a new account or retrieve the password.

Please discuss below, and let me know if there are any problems with this approach.

Update 2010-09-14: Of course, the 403 page is shown when you aren't allowed to view a page. The 401 error code is used to show a login popup. Replace all mentions of 403 with 401 in the above example. Thanks, Klaas.

Mentions

Welcome

My name is Peter Stuifzand. You're reading my personal website.

Profiles

Peter Stuifzand
peter.stuifzand@gmail.com
Zwolle, The Netherlands