On Fri, Sep 24, 2010 at 2:14 PM, Hassan Schroeder <hassan.schroeder at gmail.com> wrote: >> What HTTP status code do you return? > > 401 would seem most appropriate. +1 >> And what kind of approach do you use client side? Display a message or just >> redirect the browser to login page? > > The last time I had to implement this I raised a lightbox-style login pane > above the page where the request was issued. Once the authentication > took place, the user was still on the same page so it was easy to replay > (continue) the desired action seamlessly. More or less. PITA if the user > doesn't successfully authenticate, but ... :-) Google mail redirects. I think it really depends on the application and whether the potential to lose work is a big problem, and perhaps more importantly if it's even possible to save the work once the session has expired. I'd say redirect to login unless there is a compelling usability reason to do something more complicated. -- Matt Warden Austin, TX, USA http://mattwarden.com This email proudly and graciously contributes to entropy.