Sunday, October 19, 2008

Tags in web.config Part-2

Custom Error tag

So you have developed your web application and now all of a sudden somewhere in the application some error is thrown and you get the white and yellow error page of ASP.NET giving all sorts of technical information which may not be of any use to the normal users of our application but of great use to hackers. So how to avoid this?

One way to handle this kind errors is by writing a code in global.asax ' "Application_Error" event and then redirecting the request to the custom error page. The other elegant way of handling error is by using the "customErrors" tag in web.config file. A sample customErrors tag looks like the one shown below.

<customErrors mode="On" defaultRedirect="CustomError.aspx">
            <error statusCode="404" redirect="FileNotFound.htm"/>
            <error statusCode="500" redirect="IntrnServerError.aspx"/>
</customErrors>

What customErrors tag does is if there is any unhandled errors in any of the web pages in the web application/website the asp.net runtime automatically redirects to the custom error page mentioned in the defaultRedirect attribute of the customErrors tag. One point to note here is that any error inside a try catch blog will not be redirected to the custom error page since it is handled in the catch block.

The attributes of the customeErrors tag is explained below.

Tag Explanation
mode The mode attribute tells the system whether the custom errors are disabled or enabled. The allowed values for the attribute are On, Off and RemoteOnly. The default value is RemoteOnly.
On: Once the custom errors are enabled and if there is no url specified in the defaultRedirect attribute then all the errors in the application will be shown in the (ugly) yellow and white page of the asp.net. If url is specified in the defaultRedirect attribute then any error in any page of the application will be redirected to the url whether the application is accessed remotely or locally.
RemoteOnly: If you want to display the full details of the error in the ugly page of asp.net to the persons accessing the application locally and redirect remote users to the custom page mentioned in the defaultRedirect attribute then you can make use of RemoteOnly. This can be usefull to the developers who want to see the actual exception rather than the nicely designed error page. How it works is that when a user accessess the page locally i.e. from the machine where it is hosted the yellow and white error page of asp.net will show up with the full error details whereas a normal browser who accesses the application from the convenience of his home will see the nicely designed error page, if any error occurs.
Off: The custom errors will be switched off when Off is used i.e. the detailed error page of asp.net will be shown for all the errors in the application for both the remote user (normal user) of the application as well as for the local user.

defaultRedirect

The url where the browser will be redirected on any error in the application. If the attribute is not used or left blank then the error will be displayed in the asp.net error page with full error details. This an optional parameter.

Now you have set the custom error pages and as you are aware for any error in any of the aspx page it will be redirected to the custom error page. Now  you want to log the last error that occurred somewhere in some aspx from the custom error page. You have to retrieve the error and for this one can make use of the Server class to get the last error as shown below

Exception ex = Server.GetLastError();

GetLastError() will get the last error raised. Now using the ex variable you log the required info to your log file or database where ever you want. Using this approach you can a central place from where you can log any unhandled error. Isn't it a neat approach?

Using the <error........./> tag you can specify for a specific http status code which custom error page to be displayed instead of the system provided error pages like file not found error (404 status code), internal server error (500 status code) pages. The error tag has two attributes namely statusCode and redirect. In statusCode attribute you can mention the Http status codes like 400 (bad request), 401 (access denied), 403 (forbidden), 404 (not found) etc and in redirect attribute you can give the url of the page to which you want to redirect for the particular status code.

<customErrors mode="On" defaultRedirect="CustomError.aspx">
    <error statusCode="400" redirect="badrequest.htm"/>
    <error statusCode="401" redirect="accessdenied.htm"/>
    <error statusCode="403" redirect="forbidden.htm"/>
    <error statusCode="404" redirect="notfound.htm"/>
</customErrors>

So whenever there is a file not found error or access denied or forbidden access etc the user will be redirected to the custom error page mentioned in the redirect attribute against the statusCode attribute of the error tag.

Some of the status code and their meaning is given below. These can be configured using the error tag of customErrors tag of web.config

Status Code Meaning
500 Internal server error
501 Header values specify a configuration that is not implemented.
502 Web server received an invalid response while acting as a gateway or proxy.
503 Service unavailable.
504 Gateway timeout.
400 Bad request.
401 Access denied.
403 Forbidden.
404 Not found.
405 HTTP verb used to access this page is not allowed (method not allowed.)
406 Client browser does not accept the MIME type of the requested page.
407 Proxy authentication required.
412 Precondition failed.
413 Request entity too large.
414 Request-URI too long.
415 Unsupported media type.
417 Execution failed.

Most of the errors mentioned in the above table will work along with error tag. I have not tested all of them except for the few mentioned in the e.g. If someone finds the status codes not working please let me know.

To be continued....

Know more.

Sandeep