Why do all HTTP response codes suck for application development?

People still browse without cookies

I get it, cookies and flouride are scary... but not allowing first party cookies? really? How lovely is your Web experience?

I just changed a page on a Django site from requiring an authenticated login to allowing anonymous browsing, and asking for registration later. The page is kind of like a shopping cart where you can add items to an order (but much simpler). I had to change the database from only connecting orders to a profile_id to also holding a session_id - defaulted to NULL.

Upon releasing the feature I started getting error alerts like "get returned 1000 objects, not 1". This was really surprising, and scary. I thought I had broken the site and these were the first people to encounter the feature. But it turns out these users were simply browsing without cookies one... making session_id None, making the query select all records before the session_id column was added...

499 Cookies required

So, I want to show an error to the user saying they need cookies on so I can start an order for them (they're about to give us their home address for shipping anyway). And I thought... I wonder if there's an HTTP code for "you didn't send me a cookie"?

Nope, no such status code.

There's, "400 Bad Request", but the definition specifically talks about syntax errors.

There's, "406 Not Acceptable", but it is for content negotiation.

406 Not Acceptable This response is sent when the web server, after performing server-driven content negotiation, doesn't find any content following the criteria given by the user agent.

I guess 200 OK

So, I'm resigned to just sending 200 OK, because it's not really a 500 type of error, and there's no 400 error that is useful to me. "401 Unauthorized" requires you to send a WWW-Authenticate header.

It would be nice if you could send something in the 400 range and then browsers could pop-up a little native dialog or icon that says, "Session cookies are required to view this page... click here to enable them"

Instead, we're left with codes that are only useful to proxies and ideas about how the Web should work from the 90s... like "203 Non-Authoritative Information", "205 Reset Content", and "426 Upgrade Required"