OIS Policy Web Application Error Handling Standards WOODLANDS CAMPUS OFFICE OF INFORMATION SERVICES OIS POLICY WEB APPLICATION ERROR HANDLING STANDARDS VERSION 1.0 Page 1 OIS Policy Web Application Error Handling Standards Table of Contents 1. 2. 3. Version Control............................................................................................................... 3 1.1. Document Information ................................................................................................. 3 1.2. Version History ............................................................................................................. 3 1.3. Distribution List............................................................................................................. 3 Introduction ................................................................................................................... 4 2.1. Objective ....................................................................................................................... 4 2.2. Scope ............................................................................................................................ 4 2.3. Responsibility................................................................................................................ 4 Implementation.............................................................................................................. 4 3.1. To configure the application to turn off errors for remote users ................................ 4 3.2. To include error handling ............................................................................................. 5 3.3. Capturing, Logging, and Storing ................................................................................... 6 Page 2 OIS Policy Web Application Error Handling Standards 1. Version Control 1.1. Document Information Prepared By Francis Ngoi Department Office of Information Services Date Prepared 20 May 2010 Last Updated By Seah Chen Khoon Last Updated Date 1 June 2010 Reviewed By Nicholas Wang Date Reviewed 2 June 2010 Approved By Neo Yong Chiang, CIO Approved Date 3 June 2010 1.2. Version History Date Version Number Author Description of Changes 20 May 2010 1.0 Francis Ngoi Creation of Documents & Initial Input 1.3. Distribution List Name Departments Rights Master Copy (Original) CIO Deputy CIO IT Security Manager Technical Architect Solution Architect Full Access Rights All OIS Staff Read Only All Staff Read Only Page 3 OIS Policy Web Application Error Handling Standards 2. Introduction 2.1. Objective The objective of this document is to standardize and ensure consistent web application error handling strategy that is a fundamental part of web application behavior to prevent potential information leakage. When a runtime error occurs in web application, a default error page that gives a detail description of the error where it can be further exploited by malicious user. Instead of showing the default error page, this strategy shows a friendly page to customers and still provides the detailed technical information to developers via log files for troubleshooting purposes. 2.2. Scope This standard is applicable to all web applications deployed in RP under the maintenance of Office of Information Services (OIS). The sample code for error handling provided in this standard is only applicable to ASP.Net. A similar handling is expected for application that is written in other languages approved in the RP Software Architecture Overview. 2.3. Responsibility Project Manager: Ensures the application support team and developer adhere to this standard during the project development and application deployment. Application Support: Configure the system in accordance to this standard. Application Developer: Handling and trapping all other uncommon errors in accordance to this standard. 3. Implementation The following three steps provide the standards to construct friendly custom error pages. 3.1. To configure the application to turn off errors for remote users i. In the Web.config file for your application, make the following changes to the customErrors element: Page 4 OIS Policy Web Application Error Handling Standards ii. Set the mode attribute to RemoteOnly (case-sensitive). This configures the application to show detailed errors only to local users, mainly the support staff directly accessing the console. Include a defaultRedirect attribute that points to an application error page. Include <error> elements that redirect specific errors to specific pages. The following code shall be configured in customErrors block in the Web.config file. <customErrors mode="RemoteOnly" defaultRedirect="error.html"> <error statusCode="500" redirect="err500.html"/> <error statusCode="404" redirect="err404.html"/> <error statusCode="403" redirect="err403.html"/> </customErrors> 3.2. To include error handling i. The following are the suggested content for the respective custom error pages. 500: Internal Server Error "Page cannot be displayed" Sorry, an error has occurred while processing the requested page. Please try again later # do not redirect for this error. 404: File Not Found Sorry, the file you were looking for could not be found. You may have typed the wrong URL or the file may have been moved to a new location. You may contact Help-IT for assistance. You will be redirected to Homepage in 5 seconds. 403: Access forbidden Sorry, you are not authorized to view the web page which you are attempting to load. You may contact Help-IT for assistance. You will be redirected to Homepage in 5 seconds. ii. The error page shall refresh and redirect to the application unprotected main or equivalent page after 5 seconds. A sample redirect code is shown below. <form id="form1" runat="server"> <div> <script type="text/javascript" language="JavaScript"> setTimeout("location.href='main_page.htm'", 5000); </script> </div> </form> iii. For web page that inherits a Master page, the sample code is as shown below. Page 5 OIS Policy Web Application Error Handling Standards <asp:Content ID="Content1" ContentPlaceHolderID="mainContent" Runat="Server"> <script type="text/javascript" language="JavaScript"> setTimeout("location.href='main_page.htm'", 5000); </script> </asp:Content> 3.3. Capturing, Logging, and Storing i. When an error occurs, the Application_Error sub is called. The error shall be logged. ii. Below is a sample error logging code in Global.asax. <%@ Import Namespace="System.Diagnostics" %> void Application_Error(object sender, EventArgs e) { CommonDB comDB = new CommonDB(); comDB.WriteExceLogFile( Request.Path, Server.GetLastError().Message, Server.GetLastError().StackTrace ) } iii. The LogError table shall have the following fields: Fields ID RequestURL Message StackTrack Created on iv. Comments Identity of the Application URL where error occurs Error Message Stack Tack of error DateTime Created Type Auto Number NVarchar(500) NText NText DateTime Default Now Try-catch block shall be used around any statements that might generate errors during new application development. Error handling shall be included whenever practical and to adopt the custom error messages as recommended in this policy. Create a global error handler at the page or application level that catches all unhandled exceptions and routes them to a generic error page. public void run() { while (!stop) { try { Page 6 OIS Policy Web Application Error Handling Standards // Perform work here } catch (Throwable t) { // Log the exception and continue CommonDB comDB = new CommonDB(); int errorID = comDB.WriteExceLogFile( Request.Path, Server.GetLastError().Message, Server.GetLastError().StackTrace ) WriteToUser(“An Error has occurred”, errorID); } } } Page 7