Use proper HTTP response codes

[chances]

e.g. 401, 403, 200, etc. where applicable

The login post request should respond with 401 on bad login attempts, rendering the login page with an error. 200 means OK, everything's fine, which is incorrect in this case.

Attempts to request other routes when unauthenticated should respond with 403 and render the login page with an error or other response type (JSON if Accepts: JSON is present).

[chances]

HTTP Status Codes - HTTP status codes and how to use them in RESTful API or Web Services.