I have a web app that uses form based authentication. When an AJAX request fails due to session timeout, I need to send an appropriate notification. It looks like I could send:
- 403 Forbidden, but that implies "authorization will not help", which is false.
- 401 Unauthorized, but responses "MUST include a WWW-Authenticate header field" and the information on what exactly the value should be when using form based authentication is limited.
When an AJAX request fails because the user is not authenticated, what then is the appropriate response?
