Web Application Error Handling Standards

advertisement
OIS Policy
Web Application Error Handling Standards
WOODLANDS CAMPUS
OFFICE OF INFORMATION SERVICES
OIS POLICY WEB APPLICATION ERROR HANDLING STANDARDS
VERSION 1.0
Page 1
OIS Policy
Web Application Error Handling Standards
Table of Contents
1.
2.
3.
Version Control............................................................................................................... 3
1.1.
Document Information ................................................................................................. 3
1.2.
Version History ............................................................................................................. 3
1.3.
Distribution List............................................................................................................. 3
Introduction ................................................................................................................... 4
2.1.
Objective ....................................................................................................................... 4
2.2.
Scope ............................................................................................................................ 4
2.3.
Responsibility................................................................................................................ 4
Implementation.............................................................................................................. 4
3.1.
To configure the application to turn off errors for remote users ................................ 4
3.2.
To include error handling ............................................................................................. 5
3.3.
Capturing, Logging, and Storing ................................................................................... 6
Page 2
OIS Policy
Web Application Error Handling Standards
1. Version Control
1.1. Document Information
Prepared By
Francis Ngoi
Department
Office of Information Services
Date Prepared
20 May 2010
Last Updated By
Seah Chen Khoon
Last Updated Date
1 June 2010
Reviewed By
Nicholas Wang
Date Reviewed
2 June 2010
Approved By
Neo Yong Chiang, CIO
Approved Date
3 June 2010
1.2. Version History
Date
Version
Number
Author
Description of Changes
20 May 2010
1.0
Francis Ngoi
Creation of Documents & Initial Input
1.3. Distribution List
Name
Departments
Rights
Master Copy (Original)
CIO
Deputy CIO
IT Security Manager
Technical Architect
Solution Architect
Full Access Rights
All OIS Staff
Read Only
All Staff
Read Only
Page 3
OIS Policy
Web Application Error Handling Standards
2. Introduction
2.1. Objective
The objective of this document is to standardize and ensure consistent web application error handling
strategy that is a fundamental part of web application behavior to prevent potential information
leakage.
When a runtime error occurs in web application, a default error page that gives a detail description of
the error where it can be further exploited by malicious user. Instead of showing the default error page,
this strategy shows a friendly page to customers and still provides the detailed technical information to
developers via log files for troubleshooting purposes.
2.2. Scope
This standard is applicable to all web applications deployed in RP under the maintenance of Office of
Information Services (OIS). The sample code for error handling provided in this standard is only
applicable to ASP.Net. A similar handling is expected for application that is written in other languages
approved in the RP Software Architecture Overview.
2.3. Responsibility
Project Manager:
Ensures the application support team and developer adhere to this standard during the project
development and application deployment.
Application Support:
Configure the system in accordance to this standard.
Application Developer:
Handling and trapping all other uncommon errors in accordance to this standard.
3. Implementation
The following three steps provide the standards to construct friendly custom error pages.
3.1. To configure the application to turn off errors for remote users
i.
In the Web.config file for your application, make the following changes to the customErrors
element:
Page 4
OIS Policy
Web Application Error Handling Standards



ii.
Set the mode attribute to RemoteOnly (case-sensitive). This configures the application
to show detailed errors only to local users, mainly the support staff directly accessing
the console.
Include a defaultRedirect attribute that points to an application error page.
Include <error> elements that redirect specific errors to specific pages.
The following code shall be configured in customErrors block in the Web.config file.
<customErrors mode="RemoteOnly" defaultRedirect="error.html">
<error statusCode="500" redirect="err500.html"/>
<error statusCode="404" redirect="err404.html"/>
<error statusCode="403" redirect="err403.html"/>
</customErrors>
3.2. To include error handling
i.
The following are the suggested content for the respective custom error pages.
500: Internal Server Error "Page cannot be displayed"
Sorry, an error has occurred while processing the requested page. Please try again later
# do not redirect for this error.
404: File Not Found
Sorry, the file you were looking for could not be found. You may have typed the wrong URL
or the file may have been moved to a new location. You may contact Help-IT for assistance.
You will be redirected to Homepage in 5 seconds.
403: Access forbidden
Sorry, you are not authorized to view the web page which you are attempting to load. You
may contact Help-IT for assistance.
You will be redirected to Homepage in 5 seconds.
ii.
The error page shall refresh and redirect to the application unprotected main or equivalent
page after 5 seconds. A sample redirect code is shown below.
<form id="form1" runat="server">
<div>
<script type="text/javascript" language="JavaScript">
setTimeout("location.href='main_page.htm'", 5000);
</script>
</div>
</form>
iii.
For web page that inherits a Master page, the sample code is as shown below.
Page 5
OIS Policy
Web Application Error Handling Standards
<asp:Content ID="Content1" ContentPlaceHolderID="mainContent" Runat="Server">
<script type="text/javascript" language="JavaScript">
setTimeout("location.href='main_page.htm'", 5000);
</script>
</asp:Content>
3.3. Capturing, Logging, and Storing
i.
When an error occurs, the Application_Error sub is called. The error shall be logged.
ii.
Below is a sample error logging code in Global.asax.
<%@ Import Namespace="System.Diagnostics" %>
void Application_Error(object sender, EventArgs e)
{
CommonDB comDB = new CommonDB();
comDB.WriteExceLogFile(
Request.Path,
Server.GetLastError().Message,
Server.GetLastError().StackTrace
)
}
iii.
The LogError table shall have the following fields:
Fields
ID
RequestURL
Message
StackTrack
Created on
iv.
Comments
Identity of the Application
URL where error occurs
Error Message
Stack Tack of error
DateTime Created
Type
Auto Number
NVarchar(500)
NText
NText
DateTime Default Now
Try-catch block shall be used around any statements that might generate errors during new
application development.


Error handling shall be included whenever practical and to adopt the custom error
messages as recommended in this policy.
Create a global error handler at the page or application level that catches all unhandled
exceptions and routes them to a generic error page.
public void run() {
while (!stop) {
try {
Page 6
OIS Policy
Web Application Error Handling Standards
// Perform work here
} catch (Throwable t) {
// Log the exception and continue
CommonDB comDB = new CommonDB();
int errorID = comDB.WriteExceLogFile(
Request.Path,
Server.GetLastError().Message,
Server.GetLastError().StackTrace
)
WriteToUser(“An Error has occurred”, errorID);
}
}
}
Page 7
Download