Send 403 for auth error

adminer/include/auth.inc.php

@@ -117,9 +117,8 @@ function unset_permanent() {
 function auth_error($error) {
 	global $adminer, $has_token;
 	$session_name = session_name();
-	if (!$_COOKIE[$session_name] && $_GET[$session_name] && ini_bool("session.use_only_cookies")) {
-		$error = lang('Session support must be enabled.');
-	} elseif (isset($_GET["username"])) {
+	if (isset($_GET["username"])) {
+		header("HTTP/1.1 403 Forbidden"); // 401 requires sending WWW-Authenticate header
 		if (($_COOKIE[$session_name] || $_GET[$session_name]) && !$has_token) {
 			$error = lang('Session expired, please login again.');
 		} else {
@@ -134,6 +133,9 @@ function auth_error($error) {
 			unset_permanent();
 		}
 	}
+	if (!$_COOKIE[$session_name] && $_GET[$session_name] && ini_bool("session.use_only_cookies")) {
+		$error = lang('Session support must be enabled.');
+	}
 	$params = session_get_cookie_params();
 	cookie("adminer_key", ($_COOKIE["adminer_key"] ? $_COOKIE["adminer_key"] : rand_string()), $params["lifetime"]);
 	page_header(lang('Login'), $error, null);

changes.txt

@@ -5,6 +5,7 @@ Make master key unreadable to others (bug #410)
 Fix edit by long non-utf8 string
 Specify encoding for PHP 5.6 with invalid default_charset
 Fix saving NULL value, bug since Adminer 4.0.3
+Send 403 for auth error
 MySQL: Use utf8mb4 if available
 PostgreSQL: Materialized views
 Elasticsearch: Use where in select