ASP.NET CustomErrors can't capture HTTP 401s…

It’s been a mad few weeks, so sorry for the posts tailing off a bit. Anyway, let’s get back into it with an interesting (and fairly short) problem.

ASP.NET applications can have custom error pages for the different HTTP responses. For example, you can have a custom “404 – Page not found”. Now, this can be a good idea, particularly for errors that produce stack traces or provide potentially sensitive information about the workings of your code. Or, heck, maybe you just want to present a nice looking error page.

ASP.NET provides default error pages itself, and these can be configured to not give much information away. You can actually provide different errors to local and remote users, which can be useful for developers. These look pretty rotten though.

A standard Error page showing lots of details

Fortunately, you can turn on custom errors, and define your own error pages:

<customErrors mode="On" defaultRedirect="Error.aspx">
<error statusCode="404" redirect="PageNotFound.aspx"/>
<error statusCode="403" redirect="Forbidden.aspx" />

This allows you to use your own error pages:

A custom error page not showing any details

Great! But… this doesn’t seem to work for HTTP 401. Why? I don’t know; presumably the user lacks the access to even get to the web app, and so to receive a custom error page. Sucks, huh?

Well, I was looking at that and came across an interesting post by Joshua Flanagan outlining using an HTTP Module to pick up the output 401 response and instead redirect the user to your error page. Neat, and fairly straight forward, but a bit of a pain in the backside that you have to do this at all!

I can’t say I’d noticed the problem with 401s until now…

ASP.NET CustomErrors can't capture HTTP 401s…

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.