Authentication error or maybe it isn't? - no user/password was provided

Maxim Dounin mdounin at
Mon Oct 21 11:53:46 UTC 2013


On Sun, Oct 20, 2013 at 05:17:37PM -0400, B.R. wrote:

> It's something a lot of people are bumping on.
> 401 HTTP covers both failed and missing authentication but isn't possible
> for Nginx to differentiate those states and thus only generate an error
> message on a failed (ie not empty credentials, either user or password
> containing something) attempt?
> That would make the error log more efficient as parsing it would provide
> more directly failed attempt to access a particular resource.
> Is it the standard way of doing things or is it your own?
> Are there some use cases or reasons against differentiating 401 answers?

The difference is already here.

The message "no user/password was provided for basic 
authentication", as in original message, means exactly that: there 
are no credentials provided.

On failed authentication, the "user ...: password mismatch" 
message is logged.  On unknown user, the "user ... was not 
found in ..." message is logged.

It might make sense to downgrade the "no user/password ..." 
message severity.  Not sure though.

Maxim Dounin

More information about the nginx mailing list