I would do this: If the person is not logged in at all, they get a 30x redirect to a "Please log in" page. IF they are logged in and try to access something they don't have rights to, they get a 404 page that says something noncommittal such as "The page was not found or you don't have access." That's leaves the obscurity barrier to the hacker, but gives some info to the legit user who made a mistake. -- Stephen Rider <http://striderweb.com/> On Jun 6, 2007, at 8:49 AM, Ken Moore wrote: > Hi all, > > IMHO, you should not tell interlopers any more than they need to > know. If you give detailed error messages each time someone tries > to crack your security, they gain that much knowledge each time. > > Everyone with access knows it already. As for everyone else, keep > them in the dark. > > Ken > > Bill Moseley wrote: >> To view an object a user makes a request like: >> >> /object/21 >> >> where 21 is the primary key in the object table. If the user *owns* >> object 21 they can view it. If the user does not own the object do >> they get 403 or 404?