403 error should be 401?
Going through the beautiful reForis interface, once my session expires or I log out when requesting a resource, I get a 403 Forbidden
. Looking back on this, it makes sense, I should be denied access, but the error code 401 would better fit the scenario. From the definition by MDN:
The HTTP 401 Unauthorized client error status response code indicates that the request has not been applied because it lacks valid authentication credentials for the target resource. This status is similar to 403, but in this case, authentication is possible.
In addition to this, maybe a JS redirect to the login page is not the best UX choice here? I feel like if there is content the user might want to read it would be better to just leave the user on the 401 (403) page and let them choose their next action (ignore/log back in).