I noticed today that when you try to log in to Amazon and get your password wrong it returns a 200 OK response. I'm sure most websites also operate in this fashion. Semantically speaking, is this really the appropriate code to return? Wouldn't a code of 401 Unauthorized make more sense or am I thinking of that status code in the wrong way?
If I am sending the data via ajax I will use jQuery's .done() and .fail() functions. If the login failed for any reason I want to invoke the methods in .fail() So I will send back a 400 (bad request) header, otherwise the methods in .done() would be fired.
But if you were redirecting to a login page with the failed details then yes, a 200 would be appropriate.