Welcome to the #dominoforever Product Ideas Lab! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated jointly by the IBM & HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.

For more information and upcoming events around #dominoforever, please visit our Destination Domino page.


Let Domino answer with Status 401 when Login Form gets showed

When you don't have a valid authenticated session, the domino server automatically responds with the login form.

The HTTP Status Code of this response however is "200 - OK".

For consuming client code (e.g. in case of using Domino as a REST backend) this means interpreting every response body and checking for a login form, just to know if you're still logged in. This could be made so much easier if Domino would answer with Status Code 401, which is an error code and gets handled as such by most client frameworks.

 

Christian Kahlau, sirius-net GmbH

  • Avatar32.5fb70cce7410889e661286fd7f1897de Guest
  • Jul 16 2018
  • Investigating
  • Attach files
  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    July 16, 2018 22:22

    SPR MKINAPTR77 introduced a new notes.ini in 901FP10.

     

    DOMINO_FORCE401_WITH_HTML_LOGIN_PAGE

                -Mike

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    July 18, 2018 15:03

    @Mike: Thanks for sharing this information.

    But ... my point of view is: a web server should answer with the correct status code with no special configuration settings.

    And ... I am not the submitter of this idea.

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    July 19, 2018 22:56

    The 401 response code is meant to indicate to the browser that we want to initiate basic authentication.  That's not what we're doing here.  In this case, a browser has requested a form, we successfully found the form and responded with a '200 OK'.

     

    The 200 code is really the correct response.  The notes.ini will override it however.

     

                 -Mike

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    July 23, 2018 12:20

    This, imho, is not correct.

    The 401 response is not meant to say anything about "Basic" authentication or any other authentication method. It just tells you "You're not authenticated".

    And no - the browser does not request the login form in most of all cases - it requests a resource that could not be delivered because of missing authentication, and therefore it get's "redirected" to the login form. Which is not the expected behaviour and so it is an error and must be flagged by an error status code.

    I would agree that when you request "/names.nsf?Login" there must not be a 401 response. But in any other case it is a MUST!

     

    - Christian (OP)

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    July 23, 2018 19:26

     Ah, you are correct that 401 is unauthorized, a different header says the style of login desired, basic, negotiate, etc.  I over simplified this.

     

    Currently we have this notes.ini that will respond with a 401 when we produce the login form.  Making it the default or altering it to only work for redirections is an enhancement we can consider.

     

               -Mike