http - What response code is appropriate for this situation? -

http - What response code is appropriate for this situation? -

i'm developing webgame. part of game, start out limited set of features, , unlock more of them play.

for instance, unlock /fields part of step 3 in tutorial. if navigate /fields in address bar?

i'm trying work out best status code respond with.

403 seems ideal since user forbidden accessing page until unlock it. 404 makes sense since page technically "doesn't exist" until unlocked , prevents users beingness able tell difference between page doesn't exist , 1 haven't unlocked yet.

but in both cases i've had users study issues browser cacheing 403/404 result , not letting them access page after unlocking unless purge cache entirely.

i'm wondering if should maintain using 403 or 404, or should utilize unused 4xx code such 442 custom statustext, or jokingly send http/1.1 418 i'm teapot in response user poking around shouldn't be.

i need good, solid reason why 1 alternative should used on others.

tl;dr 409 conflict idea, perhaps have problems caching. in case cache-buster forcefulness reload work.

long explanation

perhaps 409 conflict status code create sense:

10.4.10 409 conflict

the request not completed due conflict current state of resource. code allowed in situations expected user might able resolve conflict , resubmit request. response body should include plenty info user recognize source of conflict. ideally, response entity include plenty info user or user agent prepare problem; however, might not possible , not required.

conflicts occur in response set request. example, if versioning beingness used , entity beingness set included changes resource conflict made before (third-party) request, server might utilize 409 response indicate can't finish request. in case, response entity contain list of differences between 2 versions in format defined response content-type.

it create sense, because resource available after user did tutorial. before resource in «invalid» state. , user able resolve conflict completing tutorial.

later investigated case little more , discovered devil in detail. let's read specification 403 forbidden , 404 not found.

10.4.4 403 forbidden

the server understood request, refusing fulfill it. authorization not help , request should not repeated. if request method not head , server wishes create public why request has not been fulfilled, should describe reason refusal in entity. status code commonly used when server not wish reveal why request has been refused, or when no other response applicable.

important specification «the request should not repeated». browser never re-requests 403 page might right thing. however, let's go on 404:

10.4.5 404 not found

the server has not found matching request-uri. no indication given of whether status temporary or permanent.

[omitted]

now have problem! why 404 pages cached if specification allows them temporary?

perhaps in setup have caching configured not correctly 403 , 404 pages. if so, please consult this reply on stackoverflow. gives detailed reply caching 4xx pages.

if don't want mess caching headers, utilize so-called cache-buster , pass scheme time (assuming php web language):

<a href="/fields?<?php echo time(); ?>">

this produces urls /fields?1361948122, increasing every second. it's variant of solution proposed markus a.

i assume querystring 1361948122 ignored resource. if not, pass cache-buster in querystring parameter instead, illustration t=1361948122 , create sure parameter t not evaluated resource.

http http-response-codes