It’s been a mad few weeks, so sorry for the posts tailing off a bit. Anyway, let’s get back into it with an interesting (and fairly short) problem.
ASP.NET applications can have custom error pages for the different HTTP responses. For example, you can have a custom “404 – Page not found”. Now, this can be a good idea, particularly for errors that produce stack traces or provide potentially sensitive information about the workings of your code. Or, heck, maybe you just want to present a nice looking error page.
ASP.NET provides default error pages itself, and these can be configured to not give much information away. You can actually provide different errors to local and remote users, which can be useful for developers. These look pretty rotten though.
Fortunately, you can turn on custom errors, and define your own error pages:
<customErrors mode="On" defaultRedirect="Error.aspx">
<error statusCode="404" redirect="PageNotFound.aspx"/>
<error statusCode="403" redirect="Forbidden.aspx" />
This allows you to use your own error pages:
Great! But… this doesn’t seem to work for HTTP 401. Why? I don’t know; presumably the user lacks the access to even get to the web app, and so to receive a custom error page. Sucks, huh?
Well, I was looking at that and came across an interesting post by Joshua Flanagan outlining using an HTTP Module to pick up the output 401 response and instead redirect the user to your error page. Neat, and fairly straight forward, but a bit of a pain in the backside that you have to do this at all!
I can’t say I’d noticed the problem with 401s until now…