Proper HTTP headers for login success / fail responses?
It depends on what you mean by 'login' and perhaps also on how the login/logout/authorization is handled by the server.
Usually, the expression 'to log in' is related to sessions. One 'logs in', does what needs to be done, and then 'logs out'. The server either stores the session information and sends the session ID in a cooki to the client, who then sends the cookie back to inform the server that a session is going on. Within the session variables can change and their state is persistent between calls from the client.
Intuitively, it sounds natural that there should be a kind of response 'Authorized' when you start a session, together with response 'Unauthorized (401)'.
However, HTTP is a state-less protocol. It does not know about states, only about whether the request is authorized or not. That is why there is the status 401 but no specific 'authorized' status code (since if a request is not unauthorized it is implicitly authorized).
In order to have the feeling of working on a session at the HTTP level (without using a construction like PHP's session_start()) the authorization credentials have to be sent with every request. This is what happens when one uses the .htaccess file to protect a folder, for example. After providing to the password dialog the user name and password, these are subsequently sent every time there is an access within the authorization realm. There is an illusion of a 'session' going on but in reality the username and password are sent at every request.
The header that the server sends is either the 200 OK or 401 denied status codes on success or failure.
See http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html Section 10.4.2 401 Unauthorized for this.
When sending the 401, the server must send a
WWW-Authenticate = "WWW-Authenticate" ":" 1#challenge
to indicate what scheme should be used to authenticate.
See http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html Section 14.47 WWW-Authenticate for this.
There is only HTTP/1.0 401 Unauthorized.
But recently I developed this "auth pattern": First time you visit the page you get 401 and the login screen. As soon as you enter correct login data you receive 200. When your session expires or you click logout you receive 401 and the login screen again. The login screen is always 401, every other page 200.