Best I can suggest is a HTTP 401 status code with a WWW-Authenticate header.

我能建议的最好的是带有 WWW-Authenticate 标头的 HTTP 401 状态代码。

The problem with 403requests is the the RFC 2616states "Authorization will not help and the request SHOULD NOT be repeated." (i.e. doesn't matter if you are authenticated or not, you are not going to get access to that resource, ever).

403请求的问题在于RFC 2616声明“授权无济于事，不应重复该请求。” （即无论您是否通过身份验证，您都无法访问该资源，永远）。

The problem with 401requests is it states they "MUST include a WWW-Authenticate header field". As someone has notedit doesn't appear to be in violation of the spec to use a custom value in a WWW-Authenticate header.

401请求的问题在于它声明它们“必须包含 WWW-Authenticate 标头字段”。正如有人指出的那样，在 WWW-Authenticate 标头中使用自定义值似乎并不违反规范。

I can't see any reason in RFC 2617why an HTTP 401 status combined with a custom WWW-Authenticate header like this wouldn't be okay:

我在RFC 2617中看不到任何原因，为什么 HTTP 401 状态与这样的自定义 WWW-Authenticate 标头相结合是不行的：

WWW-Authenticate: MyAuthScheme realm="http://example.com"

The oAuth specactually seems to do just this, as they recommend this (though they have to my mind an odd interpretation of the RFC):

该OAuth规范实际上似乎只做这一点，因为他们推荐这个（虽然他们使我想起了RFC的奇解释）：

WWW-Authenticate: OAuth realm="http://server.example.com/"

This doesn't appear to be specifically SANCTIONED by the RFC, but I can't actually see that it's forbidden by it (it doesn't seem to conflict with any MUST or MUST NOT, SHOULD or SHOULD NOT condition).

这似乎没有受到 RFC 的特别制裁，但我实际上看不到它被它禁止（它似乎与任何必须或必须不、应该或不应该条件不冲突）。

I wish there was a more specific HTTP status code for timeouts and for things like CSRF tokens being invalid so this was clearer.

我希望有一个更具体的 HTTP 状态代码用于超时和诸如 CSRF 令牌无效之类的事情，这样就更清楚了。

I would recommend an HTTP 401.

我会推荐一个 HTTP 401。

Whereas a 403 basically says, "You're not allowed, go away and don't come back", a 401 says, "We don't know if you're allowed or not because you didn't bring your ID. Go get it and try again."

403 基本上是说，“你不被允许，走开，不要回来”，而 401 说，“我们不知道你是否被允许，因为你没有带上你的身。去得到它，然后再试一次。”

Compare Wikipedia's definitions:

比较维基百科的定义：

HTTP 403- The request was a legal request, but the server is refusing to respond to it.

HTTP 401- Similar to 403 Forbidden, but specifically for use when authentication is possible but has failed or not yet been provided.

HTTP 403- 请求是合法请求，但服务器拒绝响应。

HTTP 401- 类似于 403 Forbidden，但专门用于可以进行身份​​验证但已失败或尚未提供的情况。

What about 419 - it is not standard, but the description on Wikipediaseems to fit:

419怎么样 - 它不是标准的，但维基百科上的描述似乎适合：

419 Authentication Timeout

Not a part of the HTTP standard, 419 Authentication Timeout denotes that previously valid authentication has expired. It is used as an alternative to 401 Unauthorized in order to differentiate from otherwise authenticated clients being denied access to specific server resources.

419 认证超时

不是 HTTP 标准的一部分，419 Authentication Timeout 表示先前有效的身份验证已过期。它用作 401 Unauthorized 的替代方案，以区别于其他经过身份验证的客户端被拒绝访问特定服务器资源。

I believe the appropriate code is going to be 403/Forbidden. There aren't any that are directly related to sessions.

我相信适当的代码将是 403/Forbidden。没有任何与会话直接相关的内容。

Truth is, there is no standard HTTP status code for a session timeout. Sessions are implemented in the application layer, not the HTTP transport layer.

事实是，会话超时没有标准的 HTTP 状态代码。会话是在应用层实现的，而不是 HTTP 传输层。

There is a custom status code that Microsoft have been using for session timeout: 599, or simply make up your own status code in the 5xx range.

Microsoft 一直使用自定义状态代码用于会话超时：599，或者只是在 5xx 范围内组成您自己的状态代码。

From the Status Codes Wiki:

从状态代码维基：

599 Network connect timeout error (Unknown) This status code is not specified in any RFCs, but is used by Microsoft Corp. HTTP proxies to signal a network connect timeout behind the proxy to a client in front of the proxy.

599 网络连接超时错误（未知） 此状态代码未在任何 RFC 中指定，但 Microsoft Corp. HTTP 代理使用它来向代理前的客户端发送代理后的网络连接超时信号。

I use the custom status code 599 for a session timeout and then check for it in the AJAX response.

我将自定义状态代码 599 用于会话超时，然后在 AJAX 响应中检查它。

As per the Wikipedia link of Http Status Codesprovided above by Bobo:

根据Bobo 上面提供的Http 状态代码的维基百科链接：

440 Login Timeout (Microsoft)

    A Microsoft extension. Indicates that your session has expired.

As you post a link, in that link i found this HTTP status code 440. you can use 440 HTTP status code for session expired.

当您发布链接时，在该链接中我发现了此 HTTP 状态代码440。您可以使用 440 HTTP 状态代码来表示会话已过期。

440 Login Time-out

440 登录超时

 The client's session has expired and must log in again.

401 Unauthorized we can use when, user login credential is wrong. or auth token passed in header is invalid.

401 Unauthorized we can use时，用户登录凭据错误。或在标头中传递的身份验证令牌无效。

403 Forbidden we can use this when user does not has specific permission for requested resource.

403 Forbidden 当用户对请求的资源没有特定权限时，我们可以使用它。

So in my opinion we should use 440 Login Time-out.

所以我认为我们应该使用440 Login Time-out。

Technically, the accepted answer is of course correct: If you already know for sure that you are going to be failing the request, and you are asking which failure code to return, then HTTP 401 "Unauthorized (Unauthenticated)" is the appropriate one, so as to prompt re-authentication.

从技术上讲，接受的答案当然是正确的：如果您已经确定您将要失败请求，并且您正在询问要返回哪个失败代码，那么 HTTP 401“未授权（未验证）”是合适的，以便提示重新认证。

But first of all, ask yourself: should you fail the request?

但首先，问问自己：你应该拒绝请求吗？

Consider that the user may simply be visiting a public page of your website, in which case you are going to be slapping them across the face with an "Unauthorized!" message, and requiring them to re-authenticate, in order to see a page that they would normally be able to see without authentication. That's not cool.

考虑到用户可能只是访问您网站的公共页面，在这种情况下，您将用“未经授权！”打他们的脸。消息，并要求他们重新进行身份验证，以便查看他们通常无需身份验证即可看到的页面。那不酷。

My advice is to ignore the fact that the session token is unknown, and simply proceed to generate a new session token and create a new session for it. The initial state of the session will of course be "not-yet-authenticated", so if the user is trying to access a non-public page, then the page will see to it that they receive an HTTP 401 "Unauthorized (Unauthenticated)" and must authenticate. But if the user lands on a public page, they won't notice anything different.

我的建议是忽略会话令牌未知的事实，只需继续生成新的会话令牌并为其创建新会话。会话的初始状态当然是“not-yet-authenticated”，所以如果用户试图访问一个非公开页面，那么该页面会看到他们收到一个 HTTP 401“Unauthorized (Unauthenticated)” "并且必须进行身份验证。但是如果用户登陆公共页面，他们不会注意到任何不同。

I would use a 302 redirection response, with a "Location" header directing to a resource path like "/auth-required"

我将使用 302 重定向响应，其中“位置”标头指向资源路径，如“/auth-required”

The client could route the resource path to a modal with a login/password form, avoiding to tranfer the user to another page.

客户端可以将资源路径路由到带有登录/密码表单的模式，避免将用户转移到另一个页面。

For non-Ajax requests, I use a 302 redirect.

对于非 Ajax 请求，我使用 302 重定向。

For Ajax requests, I use 200 for knownerrors. That way I can take advantage of the data object. I find the data object easier to work with than parsing jqXHR for info. And then I don't need to worry about what HTTP status code to try to re-purposefor my situation.

对于 Ajax 请求，我使用 200 表示已知错误。这样我就可以利用数据对象。我发现数据对象比解析 jqXHR 信息更容易使用。然后我不需要担心尝试针对我的情况重新调整什么 HTTP 状态代码。

jQuery Example:

jQuery 示例：

$.ajax({
    //send data to server
})
.done(function(data, textStatus, jqXHR) {
    if (data.success) {
        //then process return data
    }
    else {
        //get error type or message from data object
        //could use custom error codes
    }
})
.fail(function(jqXHR, textStatus, errorThrown) {
    //handle unknown errors
});