when a kernel error "1" is emitted, by default eZ sends a response page with a clear error message and a login form.
But the http resp. code is 200.
This can be a problem if there is any caching reverse proxy in front, or if the user has set up eZ to emit caching headers using site.ini, the page will be cached.
Imagine the following scenario
1. user visits page as anonymous, to which he is denied access
2. user logs in
3. user visits the same page again (to which he now has access) => then he will still see the "access denied" page unless he clicks on the "refresh" button.
The fix: use error.ini to emit a 403 http error code by default with any kernel error 1: