LornaJane

Status Codes for Web Services

Thursday, July 2. 2009

This the last entry in a mini series on points to consider when designing and building web services. So far there have been posts on error feedback for web services, auth mechanisms for web services, saving state in web services and using version parameters with web services.

Unlike the other posts in this series, this one is quite specific to one type of service - REST - since it deals with status codes, specifically HTTP ones. The ideas are transferrable however and other types of service can return statuses in a similar way.

There's a few key things to think about when returning status codes. In earlier posts in this series these was discussion of using existing application framework to serve pages and changing the output mechanism accordingly. Usually a web page will return a status 200 for OK or also 302 for found, so this is fine when things are working normally. But when things aren't going quite so well, its useful to give alternative feedback that can be easily picked up by a client application.

When things go wrong there are a couple of different schools of thought of how the service should respond. One is that if, for example, the user supplies data which fails validation, the service could provide the OK response and a message to the user to let them know what needs validating - exactly as we'd return information messages to a user filling in a form. To be considered restful however, the service should more correctly return one of the "400" status codes, which means that the client made an error. Interesting and useful codes* in this series are:

  • 401 Unauthorized

  • 403 Forbidden

  • 404 Not Found

  • 405 Method Not Allowed

  • 406 Not Acceptable

  • 408 Request Timeout

  • 417 Expectation Failed

  • 418 I'm a teapot


* I didn't say they were both useful and interesting

Using descriptive status codes allows the client to get the headline of the problem without having to parse a whole request to find out whether it is good or not. HTTP already has this feature built-in, and so we make use of it (HTTP is pretty cool really, makes a great protocol for services!).

Where an error occurs on the server side - it is usual to return a 500 error or another in the 500 series. This lets the client know there is a problem outside of their control; it is useful to include information about whether the client should retry and when. Having a defined protocol for retries helps avoid the situation where a system comes back up only to fall over again with all the traffic from people retrying every minute (or other interval) - this is a real concern for systems that are under heavy load.

Status codes are like a headline to the calling entity about what happened, and are a valuable tool in the web service toolkit. For bonus points, leave me a comment and tell me which is your favourite status code :)
Posted by LornaJane in php at 14:44 | Comments (10) | Trackback (1)
Defined tags for this entry: , , ,
Related entries by tags:
Working with Web Services - Froscon 2010
CodeigniterCon 2010
Leeds PHP User Group
Keynoting at PHPNW10
SugarCRM 6 Installation Error

Trackbacks
Trackback specific URI for this entry

Add a heartbeat method to your service
Over the summer months I wrote a series of posts about designing APIs in general, and web services in particular. This included posts on status codes for web services, error feedback for web services, auth mechanisms for web services, saving state in web
Weblog: LornaJane
Tracked: Oct 28, 08:51

Comments
Display comments as (Linear | Threaded)

I gather most js libraries will now provide an error handler for 4xx and 5xx, which is quite handy to know whether to display an error dialog. I also use 4xx for when client errors eg when a db constraint fails, I respond with a 4xx and put the error message in the body of the response. For 5xx I log the error message rather than include it in the response.

There is one YUI component however, yui-uploader, which doesn’t seem to treat 4xx as an error on FF for Windows (but it did on a Mac)

A favourite status code? If only we could respond to our managers with status codes when they ask for unreasonable things or don’t give us the full details, any of the 4xx codes would be my favourite ;)

#1 shangxiao on 2009-07-03 05:21 (Reply)

shangxiao: my manager is geeky enough that he’d know perfectly well what I was talking about if I used a 4xx code at him :)

#2 LornaJane (Homepage) on 2009-07-03 10:38 (Reply)

I don’t use errors codes at all.

Custom error pages with description what is happened and recommendation what user need to do – it is my way.

Keep in mind not all users can understood error by number and less of them will know what to do.

#3 Alexandr (Homepage) on 2009-07-03 18:31 (Reply)

Using a HTTP Error code doesn’t stop you serving up a custom error page. In fact thats the best way to do it.

People who visit with a web browser will be none the wiser, but anyone that needs to programatically find out what the server responded with can. And if you’re serving up an API error page by returning HTTP status 200, expect people like me to hunt you down and slap you. Hard. Because I check the status code to find out if I hit an error in the API or not, as you’re supposed to. Its a standard for a reason.

#3.1 Caius Durling (Homepage) on 2009-07-03 20:14 (Reply)

I wish there were some more 4xx error codes. They are so arcane and not really fit with today’s use of HTTP as an application protocol.

I would love for some extra codes like missing request parameter, parameter validation failed, etc…

#4 lifeforms on 2009-07-03 23:23 (Reply)

Alexandr: I like to use both – return a status code so anything that cares can see it, then make the body of the thing a sensible error message.

Caius: You are providing us good and sensible advice, thanks for dropping by :)

lifeforms: I have no idea how the codes get decided upon but I do see your point. I end up returning a general error code with a meaningful message usually – the advantage of this is that I can stack error messages and return lots of feedback to the user in one go

#5 LornaJane (Homepage) on 2009-07-05 09:29 (Reply)

For authentication problems, I prefer to use a 412 Precondition Failed. For most of my APIs, I assume that the user is logged in (the Precondition). Although it would be more semantically correct to send the Unauthorized header, I prefer to avoid it since browsers will normally handle it by asking a user to login. Which is confusing and impossible, since my web server is definitely not set up to handle it.

#6 Chris Henry (Homepage) on 2009-07-12 05:04 (Reply)

Chris: That’s a good point – it depends what you expect to be consuming your service, sometimes browsers "help" us in the least helpful ways!

#7 LornaJane (Homepage) on 2009-07-12 18:07 (Reply)

Roy Fielding, who coined the term "Rest", suggests using 422 for validation errors: http://tech.groups.yahoo.com/group/rest-discuss/message/6183

#8 Michael (Homepage) on 2010-01-22 21:39 (Reply)

I like to verify my pages status code and page info such headers, cookies, with this free tool: http://soft-net.net/SendHTTPTool.aspx
It free and it give you a lot of information about the response from the page.

#9 Roy on 2010-03-10 07:01 (Reply)

Add Comment

You can use [geshi lang=lang_name [,ln={y|n}]][/lang] tags to embed source code snippets
Textile-formatting allowed
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.
 
 

Quicksearch

Feeds

Comments

Tyrone about PHP5 Soap Server
Thu, 02.09.2010 14:14
Hi Lorna Jane, Thanks for all this – the info on PHP and Soap on the Net is a total mess. Some choosing to to use nusoap.php – which now doesnt even exist anymore. Great work using this method I was up and running very quickly. However – this method only shows a call passing one paramet [...]
LornaJane about Wordpress Automatic Update Asking for FTP
Wed, 01.09.2010 13:03
Thanks so much to everyone that has dropped in and said that this tip is working for them – I had to refer back to this myself the other day to remind me how to get around the FTP prompt!
sherra about Wordpress Automatic Update Asking for FTP
Fri, 27.08.2010 04:17
great insight. thank you. I moved my blog and forgot what I needed to do to avoid ftp. your suggestion works like a charm.
Carl Nobile about Logrotate Error on Ubuntu
Fri, 27.08.2010 00:16
This issue seems to happen when you move a DB from one machine to another as I did. The procedure you describe above should be put into MySQL documentation. You should put in a bug report to the MySQL people as their documentation needs to updated. And yes the PASSWORD parameter needs to be re [...]
Rudger Gravestein about One-Step Symlink Switch
Mon, 23.08.2010 09:19
i also move the current, so in case of non working result, i can easily move it back. mv -fT current fallback; mv -fT next current;
Anon about One-Step Symlink Switch
Sun, 22.08.2010 19:43
This is a convenient way to upgrade, and is certainly a good thing for development / testing environments. On a busy site there might be a slim risk this technique could be problematic. Although the file system is updated in an atomic transaction, a web browser could still read from both the [...]
Les about Working with Web Services - Froscon 2010
Sun, 22.08.2010 17:35
Once more you shine girl yer its true you’re a PHP babe :D
Edmar about One-Step Symlink Switch
Sat, 21.08.2010 20:17
Nice to see a post about this. :-) 100% of our deploys are done using symlinks. We copy our releases into revision-specific folders (which are rev123, rev124, etc.). Deploy is done using: cd /software-revisions-folder ln -sf rev124 current To revert: ln -sf rev123 current Thi [...]
Deep C about One-Step Symlink Switch
Fri, 20.08.2010 19:09
This is very interesting and helpful tip. I just felt its quite similar to adding a new node to link list in C and moving pointer to next :)