Exception Management


Make sure you do not return full exception details to the caller. If you use an ASP.NET host, make sure ASP.NET is configured so that generic error messages are returned to the client, as shown below.

 <configuration>   <system.runtime.remoting>    <!-- Valid values for mode attribute are         on - callers receive default error messages         remoteOnly - clients on the same computer as the remote component receive                      detailed exception information. Remote calls receive a                       default error message         off - callers receive detailed exception information -->     <customErrors mode="on"/>   </system.runtime.remoting> </configuration> 

Use mode="on" or mode="remoteOnly" . Do not use mode="off" on production servers.

Using a Custom Channel Sink

You could implement a custom channel sink to perform client-side and/or server-side exception logging. You can log exception details in the SyncProcessMessage , ProcessMessage , or SyncProcessMessage methods if an exception occurs. The IMessage and Exception parameters provide exception details.




Improving Web Application Security. Threats and Countermeasures
Improving Web Application Security: Threats and Countermeasures
ISBN: 0735618429
EAN: 2147483647
Year: 2003
Pages: 613

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net