[thelist] 403 or 404?

Bill Moseley moseley at hank.org
Tue Jun 5 23:22:59 CDT 2007

Say I have a web application where someone must be logged in.
To view an object a user makes a request like:


where 21 is the primary key in the object table.  If the user *owns*
object 21 they can view it.  If the user does not own the object do
they get 403 or 404?  Kind of seems like a 403.

What if the request is for an id that doesn't exist?  Does that make a


I'm thinking 404 in both cases (which I guess is withing the spec).

Would you handle things differently if the object id was
part of a query string?


Or in a hidden field in a posted form?

Bill Moseley
moseley at hank.org

More information about the thelist mailing list