Exception Management


Correct exception handling in your Web pages prevents sensitive exception details from being revealed to the user . The following recommendations apply to ASP.NET Web pages and controls.

  • Return generic error pages to the client .

  • Implement page-level or application-level error handlers .

For more information about exception management, see Chapter 7, "Building Secure Assemblies."

Return Generic Error Pages to the Client

In the event of an unhandled exception, that is, one that propagates to the application boundary, return a generic error page to the user. To do this, configure the <customErrors> element as follows :

 <customErrors mode="On" defaultRedirect="YourErrorPage.htm" /> 

The error page should include a suitably generic error message, possibly with additional support details. The name of the page that generated the error is passed to the error page through the aspxerrorpath query parameter.

You can also use multiple error pages for different types of errors. For example:

 <customErrors mode="On" defaultRedirect="YourErrorPage.htm">    <error statusCode="404" redirect="YourNotFoundPage.htm"/>                  <error statusCode="500" redirect="YourInternalErrorPage.htm"/>               </customErrors> 

For individual pages you can supply an error page using the following page-level attribute:

 <% @ Page ErrorPage="YourErrorPage" %> 

Implement Page-Level or Application-Level Error Handlers

If you need to trap and process unhandled exceptions at the page level, create a handler for the Page_Error event that is similar to the one shown below.

 public void Page_Error(object sender,EventArgs e) {   // Get the source exception details   Exception ex = Server.GetLastError();   // Write the details to the event log for diagnostics   . . .   // Prevent the exception from propagating and generating an    // application level event (Application.Error)   Server.ClearError(); } 

If exceptions are allowed to propagate from the page handler or there is no page handler, an application error event is raised. To trap application-level events, implement Application_Error in Global.asax, as follows:

 protected void Application_Error(Object sender, EventArgs e)  {   //  Write to the event log. } 



Improving Web Application Security. Threats and Countermeasures
Improving Web Application Security: Threats and Countermeasures
ISBN: 0735618429
EAN: 2147483647
Year: 2003
Pages: 613

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net