Wouldn't unauthorized only be meant for AFTER a login is successful? Like, the user should have to have an active session first. Maybe you're just talking about that case though.