/api/session returns 404 instead of 401 when session expired

When I query /api/session with an expired session cookie I get:

"GET /api/session HTTP/1.1" 404

but IMHO the correct response would be 401.

Anton Tananaev6 years ago

I disagree. Session expired, so it doesn't exist. It's not an authorization issue.

that would be correct if the url was:
/api/session/<id>
or
/api/session?id=<id>

but because the url is /api/session, then 404 means that this url doesn't exist. That is not the case.