When trying a piwik page without logging in, the response is the login form, delivered with status code 200 OK. I think that should be delivered with a 403.
:+1: but I think [401 is better](http://en.wikipedia.org/wiki/List_of_HTTP_status_codes#4xx_Client_Error)
Similar to 403 Forbidden, but specifically for use when authentication is required and has failed or has not yet been provided.
I think if we change to 403 some web servers configs will catch this and show an error page instead, this could break Piwik for some users.
401 seems more correct, but here
it's said that 401 is only to be used with http auth.
It also says that is why Drupal is using 403.
As Drupal uses 403, i think it should be save for piwik too.
Not having the correct response code can be critical for some services i think.
I stumbled into a concrete case to this Problem on a piwik plugin:
That's an interesting POV, maybe 403 is OK then especially since it's not an HTTP API here.
This also happens when accessing the Reporting API without providing a
token_auth, it will return a
200 OK. We need to inspect the body and look for
result => error. It would be more convenient if we could rely on the HTTP response code.