I read that "401 Unauthorized" code must be used when a user:
According to RFC, in both cases server must return 401 code.
But I need to differentiate then in my ajax requests.
Anybody have a tip to solve this?
Note: I don't want to use 403 Forbidden code, because in 403 "Authorization will not help", according to RFC.
You should pass a custom header in addition to the status code for application specific needs.
I believe the current practice is to preface custom headers with X-
From the RFC 3864 posted in the comments (dated September 2004):
In some cases (notably HTTP [24]), the header syntax and usage is redefined for the specific application. [...] In some cases, the same field name may be specified differently (by different documents) for use with different application protocols. [...] We need to accommodate application-specific fields, while wishing to recognize and promote (where appropriate) commonality of other fields across multiple applications.
In a more recent RFC (6648, dated June 2012), they specifically address X- headers.
Deprecates the "X-" convention for newly defined parameters in application protocols, including new parameters for established protocols. [...] Does not recommend against the practice of private, local, preliminary, experimental, or implementation-specific parameters, only against the use of "X-" and similar constructs in the names of such parameters.
Important to note is that while X- is specifically noted, they do still implicitly condone custom headers as a way of transferring information. An application specific prefix (MyApp-) might be more appropriate to avoid ever colliding with any other headers.
See also: Is it safe to use "X-" header in a HTTP response from a few years ago.