I have deployed the web application and customer accessing web application publically in between my databse down then I want show the custom message to the user. In my web application 50 pages, and I want to handle message commonly for all pages. Please help how to do this.
You can configure a section in web.config that tells ASP.NET/IIS to redirect users to a set of static or dynamic pages in case of common errors.
Check out this article - http://www.asp.net/hosting/tutorials/displaying-a-custom-error-page-cs
The scenario is pretty similar - something goes wrong with the SQL DB call and you dont want to display an ugly error.
Make sure to include some sort of logging somewhere so that you know these errors are happing, however. One plus side of ugly error messages are that you'll hear about them right away ;)
Related
I am trying to use Identity Server 4 for Authenticationa and authorization purpose but which ever project i try to run is throwing only 1 error which is like bugging me alot because i have search for this error and i cant find a stable and proper solution for this.
Error :
Error connecting to
http://localhost:5000/.well-known/openid-configuration: An error
occurred while sending the request.
Couple of projects in which i am getting same error and dont know how to solve it :
https://www.dropbox.com/s/9hs3huwt8h035ek/oauth2Demo-master.rar?dl=0
Another Project : Download but same error
In my first project it seems like there is some problem related to SSL certificate though i tried to follow below link to install certificate but still this error exist :
https://github.com/IdentityServer/IdentityServer3.Samples/tree/master/source/Certificates
But in my second project there is no such SSL certificate problem but still same error.
Is there any way to resolve that error?
I downloaded the solution and I can confirm you need to make sure to run the OAuth2Demo.IdentityServer project, you can actually start it up and navigate to https://localhost:44305/admin/ to see the admin environment of identityserver. It apperantly also needs a sql connection to store configuration information, I didn't dig into those details but with the OAuth2Demo.IdentityServer running the other projects can also be started.
My suggestion is to get the things done one by one.
From your screens I see that on the first you are trying to reach IDS at localhost:44305, and on the second screen, you are trying to reach it at localhost:5000. It will be a good thing to set it as a constant value ( right click on your Identity Server project ->Properties->Debug->Web Server Settings->App URL) and then use this value through all of your clients.
Then - enable Identity Server logging - check here. You can extend this example - serilog basic configurations. So far logging has saved me many times, so I can say that it is really important. Make sure that the App pool account, running the application has the rights to create files, where you want them to be created.
Now the real problem:
Lets assume that you select localhost:5000 as url for your IDS.
First of all start (debug) only the Identity Server project. This should take you to localhost:5000 and you will see a welcome message from Identity Server 4.
If you see it, this means that your IDS is working. This also means that you will be able to access the Discovery Document - the one thing that is failing in your clients. Now its about time to setup your clients.
If not, this means that there is something wrong with your Identity Server instance, and that is the place to dig.
First thing I'll do is to check the logs. They will say what the problem is.
Then - I figure out that you are trying to use custom certificate for this (correct me if I've misunderstood). Why don't you try using the Developer Signing Credential (check the ConfigureServices of Startup.cs) at least for starting it up.
Later on, if you decide to use your custom certificate, have in mind that the user, that is running the IDS application (by user I mean the application pool user) should have at least read privileges over the certificate (I guess that you've seen that in the article you have provided).
Do all these, and let's see what progress you will have, but most important - enable the logging.
We are using the web security scanner which found out one of my web page has a Bind SQLi. The scanner modified the parameter "news.aspx?id=123" to "news.aspx?i=123' or 1=1--", And the web server responses to the news information for id=1 information currently.
After investigation from development team, they said that there's no injection cannot access to Database which has already blocked by the .NET Built-in API SQL Parameter, and the back-end program will auto return the data of id=1 information to client side.
May I know can it be identified as false positive, or is it better to redirect to generic error pages? Or it is enough and acceptable for current stage?
the back-end program will auto return the data of id=1 information to client side.
IMO, this is a lame behavior for the backend. I'd say the page should detect the error and redirect the user to an error page. Nevertheless, based on that description it is not a valid injection, so if the business can accept that behavior, then it is a false positive.
P.S. While this isn't a SQL injection, it is potentially an information disclosure bug if it's possible to get the page to display the data for id=1 and the user of the page shouldn't have access to that particular record.
So long as your underlying application code is parameterizing the values being sent to SQL (as your developers claim), then you do not need to worry about such warnings.
Scenario: We have a website that is viewed both internally and externally. When an error occurs the users are displayed with a detailed error page(Stack trace etc).
Problem: The external customers do not need that much information about the error. We are looking to have the external customers see a messsage instead. Ex. Please contact Administrator. Also if possible we would like to log this message in our SQL database.
Note: I'm assuming I make a custom error page like - Implementing a Custom Error page on an ASP.Net website but how do I determine whether or not the user is internal/external? Also is this the best way to approach the problem? Additionally if anyone has suggestions on the best way to store these errors in the database that is also appreciated.
Thanks in advance.
YOu can try settings your mode to RemoteOnly in the web.config
<customErrors mode="RemoteOnly">
This way local users will see the error, and external users will see the other error pages which you have set up.
There is an article here about such things http://aspnetresources.com/articles/CustomErrorPages
The way I would do this is to have different entry points for external and internal users. I would do this through the hostname. By varying the hostname I could then create a custom error experiance for each type of user.
If by 'internal' you mean logged in, and 'external' you mean anonymous, you could use the same custom error page but check the user's logged in state using Request.IsAuthenticated
You could then simply display the message based on the user's status.
For storage of errors you could use log4net and/or ELMAH. ELMHA is specifically for catching unhandled exceptions. Log4net is predominantly for logging from within your code, i.e. from within a try/catch statement.
It is good practice to use both.
That article is on the right track of what you need to do. Also, see:
http://aspnetresources.com/articles/CustomErrorPages
http://www.asp.net/hosting/tutorials/displaying-a-custom-error-page-cs
http://weblogs.asp.net/erobillard/archive/2003/04/23/5992.aspx
The determination about whether a user is internal or external will be handled by the web server.
customErrors for RemoteOnly will probably not help you because RemoteOnly only refers to users not accessing the page from the same physical box. Users on the LAN will be treated as remote just like users from the WAN will.
If I had to solve your problem, I would start in Application_Error and examine Request.UserHostAddress and Request.UserHostName but even those are not going to be completely reliable because on my corporate intranet, my address of 10.4.42.219 might very well match your companies internal addresses, and UserHostName is supposed to be a human readable name but it isn't always - case in point, look at it running in debug mode and both UserHostAddress and UserHostName will be "127.0.0.1" when you'd expect the latter to be "localhost".
See the problem here is that by the time they hit your webserver, they're inside the firewall, and the server is a listener - so it doesn't matter what IP the incoming connection CLAIMS to be from (spoofing being a very real problem), your webserver isn't gonna initiate a response, it's going to send a response down the very pipeline that the client opened.
Now if your firewall can be configured to leverage spoofing and force the IP coming in to be a specific value, that would be one possible way to reliably identify external connections, and by process of elimination, the internal ones but I can't speak to the viability of that approach with any certainty.
Edit to add: I suspect your initial question may itself be flawed. The question I'm asking myself is, who on your internal side really cares about the error message? Is your corporate secretary going to want to see stack trace info? Probably not.
I suspect that what you REALLY need here is active authentication and role based security, such that only specifically identified users - members of the "Error Investigator" role perhaps - should see those detailed exceptions, and everyone else, including internal users, gets the pretty custom page.
We've now got plenty of sites which all use a log4net base error loging framework and we receive error from site from anywhere it append. We've notice that some of them catch error because of "Bot" like google, bing, yahoo, etc. But there's a things we've not sure about how to resolve. I've two questions about it :
Is "Java/1.6.0_24" a Bot? Because the user-agent of my question #2 is about this.
The "Java/1.6.0_24" still calling subfolder on our site that just do not exists! Like, if we have a page called "Page1.aspx", instead of calling "~/Page1.aspx", he calls it "~/minisite/Page1.aspx". How can I tell him he's wrong? Is there a way to do it?
Thanks you
It's most likely a bot but it could as well be some kind of browser based on Java that sends that user-agent string - you can't trust it 100% but it can give you an estimate idea of what the connecting entity is. Depending on the kind of bot it might as well just ignore your robots.txt so I'd just impement some handling stuff somewhere.
Did those folders ever exist? If so, you could use HTTP's permanent redirect (code 301) to tell him to no longer look there - however that doesn't guarantee it will do so.
Where would I need to hook in (at what event) to be able send myself every 500 error that happens on my current ASP.NET project. Something inside the global.asax? And I'd like to send myself the output that the user would see. The white/yellow/black 500 standard ASP.NET error HTML.
My users only see the errors about 10% of the time. The other 90% these are Ajax responses.
You can do this in global.asax.cs using Global Error Handling in ASP.Net using the Application_Error(...) method
If you're more interested in the end result than in the process of making it work yourself, you might like to take a look at the Elmah ("Error Logging Modules and Handlers") project - http://code.google.com/p/elmah/
It's allows you to do many things with errors - send email notifications, log them to a database, browse the error log via a web interface, and even crazy things like an RSS feed of errors or using Twitter to tweet errors.
It's quite easy to install and configure.