Throwing an ASP.NET 404 error

Question

1.00/5 (1 vote)

See more:

Here is a question for everyone:

If you to to http://www.asp.net, you get a pretty Default.aspx web-page.

If you go to http://www.asp.net/NotFound.aspx, you get a pretty ASP.NET 404 page not found page.

If you go to http://www.asp.net/NotFound, you get a pretty IIS 404 page not found page.

If you go to http://www.asp.net/NotFound.txt, you get a pretty IIS 404 page not found page.

What if webpage (fake.aspx) that would display it's results to an authenticated user, but you wanted to display the 404 page not found for the anonymous.

You could set the "Response.StatusCode = 200" for authenticated users and set the "Response.StatusCode = 404" for the anonymous users.

This works great, except the system displays the IIS 404 page not found page not the ASP.NET 404 page not found. For the typical visitor, this won't be a problem. They see a 404 page not found and move on. However, a person who is paying attention would notice there was a difference in how the webpage are displayed.

Here is the question.

How do you get an .ASPX page to show the ASP.NET 404 page not found error message instead of the IIS 404 page not found page?

Thanks for your input

Posted 31-Oct-13 14:04pm

MrComputerWhiz

Add a Solution

Comments

Trak4Net 31-Oct-13 20:25pm

Just curious... wouldn't you want to redirect them to the login page? What if the user has lost authentication then they get 404 not found and think there is an issue.
Anyways, I would think you could just redirect to your fancy 404.aspx page instead of setting the response code to 404? I am sure you are just trying to find out why and unfortunately I don't know but just curious.

Sergey Alexandrovich Kryukov 31-Oct-13 20:32pm

No! It has nothing to do with logging, and redirecting this error to a login page would be a big mistake.

The user should really see "error 404". Many people will try to type gibberish after the domain name and won't deal with you site if you conceal such error message. The different thing is: you can really provide some link on the error page, but hardly to the login page. Appropriate link would be the top page of the site, or site map (table of contents), or both.

Please see my answer.
—SA

MrComputerWhiz 31-Oct-13 21:27pm

Sadly, your reply to the problem only addresses yet another problem. Which is why the original question was ask. If the site was designed and managed to work properly, this would not be an issue.

Unfortunately, to safe cost, the "Cheapest" route has been taken and there is no "Extra" funds available for a complete site redesign and hosting.

Sergey Alexandrovich Kryukov 31-Oct-13 21:32pm

This is not about the cost. You are trying to take a wrong route. Please see my comment to my answer, about security by obscurity. It's not my mission to convince you, but think just on the common notion: illusion of security is worse then no security. And you note in complete redesign and hosting is totally irrelevant. What's the problem, is your authentication weak? It won't get stronger if you fake error 404. You just did not think well. Better try again.
—SA

MrComputerWhiz 31-Oct-13 22:36pm

The question being asked was never about security... but about how to preform a simple request. How do you make an ASP.NET page display an ASP.NET 404 error message instead of the IIS 404 Error Message. Quoting Best Practices and RFC standards does not answer the question that was asked.

Badgering other members of this site does not help the situation. Most people refer to these site for "Answer", not quotable information.

To the question of "Cost". Yes it is a matter of cost. Not having a way to change any aspect of the web-site or it's hosting services means I can't change anything. The only thing I can do is to offer "Suggestions" as to how to best fix problems at hand.

The suggestion of moving the site to another company has been offered as has the suggestion of the redesign. However, those suggestions have been deemed not cost effective, by the organization who controls the site.

Now, the current site has never been hacked under it's current design (not by me or any of those individuals I've asked to try to hack the site, nor any other attempts to break into the site).

The current ROI (Return on Investment) is estimated at 21 years, 9 months, 27 days. With Technology changing almost every 6 months means it will be sometime for for the site has to change. This does include the increased cost of attempts to hack the site increasing by 5% every MONTH, as it has been in the bast 18 months.

That being said, a "Fake" 404 error is estimated to reduce the hacking attacks by nearly 3% of the current status, changing the ROI to over 50 years, why a "Free" manageable solution is preferred over the costly redesign/hosting solution.

Again.. Thanks for the comments. Sadly, those comments never answered the question being asked.

MrComputerWhiz 31-Oct-13 21:20pm

Would be nice to do such a thing. (see added comments). Currently, redirecting users to a custom 404 error page is out of the question. Simplest, and most cost effective method is to "Fake out" those trying to breaking in.

Sergey Alexandrovich Kryukov 31-Oct-13 21:35pm

This redirection is standard feature of all non-nonsense HTTP servers and non-nonsense hosting plans and comes for free with the plan. I have no idea why do you think it's out of question. What you seemingly want to do is neither simpler no cheaper.
—SA

MrComputerWhiz 31-Oct-13 21:59pm

Being Curious is a good thing. The site is designed to allow users to "Login". It is those individuals who attempt to get into restricted pages that is the problem. The Redirection would be the way to go if that was an option. Sorry for Sergey Alexandrovich Kyukov comments who thinks that quoting RFC standards is the answer to real world questions.

Sergey Alexandrovich Kryukov 31-Oct-13 23:32pm

No, I don't think so, but in your particular case, I think it is the answer. You just don't want to admit it. It's very usual when people, including sometimes myself, keep to some ideas they are preoccupied with, even if such ideas are mistaken. If you gave me some serious convincing argument in favor of your standpoint, I would change my opinion with gratitude. So far, it did not happen.
—SA

Sergey Alexandrovich Kryukov 31-Oct-13 20:27pm

It depends on how you host the Web site. Of course you should take care about it...
—SA

2 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Ahmed Jubayer · Answer 1 · 2014-01-28T20:05:00

Add this to your web config file:

XML

<customErrors mode="On" defaultRedirect="~/ErrorPages/505.htm">
  <error statusCode="404" redirect="404.htm"/>
  <error statusCode="403" redirect="403.htm"/>
</customErrors>

In the page load method type this code for test:

C#

throw new Exception("PageLost");

It will take you to Error page.
In the url type a wrong page name. It will take you to page not found page.

Sergey Alexandrovich Kryukov · Answer 2 · 2013-10-31T14:27:00

Solution 1

Who told you that you have to use the URL with "NotFound"?! Use http://www.asp.net/Any_gibberish_at_all[^], and you will get the same result. This is a very usual setting for a HTTP server and the site. This error 404 means "not found". When you host the site, you can define the
file names for all usual HTTP error cases and put some real HTML files under these names.

Please see:
http://en.wikipedia.org/wiki/List_of_HTTP_status_codes[^],
http://en.wikipedia.org/wiki/ERROR_404[^].

Now, if you do Web development yourself, this is your obligation to be aware of that, configure those file names (or ask you Web hosting customer service), develop appropriate error-response HTML files and put them under these names. Failure to do so is considered as unprofessional and sloppy. Just do it.

[EDIT]

See also my comment to the comment to the question by Trak4Net: on your error pages, you can provide a link to a top page of the site, site map, or both, but hardly anything else.

—SA

Posted 31-Oct-13 14:27pm

Sergey Alexandrovich Kryukov

Updated 31-Oct-13 14:34pm

v4

Comments

MrComputerWhiz 31-Oct-13 21:10pm

As it stands, the current web-site has three types of users. "Members", "Admins", and "Anonymous" users. All of this is controlled over a bunch of AjaxCode. The Hosting company keeps messing things up when the site Admins request changes (IE the last time they requested to turn off directory browsing, the entire site went down for 2 months). Currently, there are no redirection or default error handling on the site.

An anonymous user can only view information from the main site.

A Member can view the site, but can only change their information.

An Admin can only control the content of the site.

If an Anonymous user or Member hits one of the Admin pages, a Big "Go Home" button is displayed on the page (Controlled by Ajax).

If an Admin user hits one of the Admin pages, they receive a custom build page (through Ajax coding), to administrator the web-site.

All the programs used to build the AjaxCode has been lost. The site only contains the compiled DLLs. (Thus no way for the current admin to change it).

Somehow, a person can be both an Admin and a Member, or just an Admin, or just a Member.

This is for a "Not-For-Profit" organization. All "Income" is used to fund a scholarship fund, thus every penny counts. Lately, there "Web-Services" fees have increased. Being a "Member" and also a programmer, I've been asked how to help keeping the site from being attacked by hackers (as this appears to be the reason for the increase... ie lots of unauthorized requests to admin pages)

Thus, the best solution that I can think of is to fake out any hackers from what is truely going on inside the web-site. Why I was asking how to create an ASP.NET 404 error versus just the standard IIS 404 error. This way, simple changes to the code-behind can fool even some of he "Better" hackers.

Sergey Alexandrovich Kryukov 31-Oct-13 21:20pm

You are diverting discussion into other, irrelevant topics. I answered your question. And "to fake-out hacker" approach is not only naive (and totally irrelevant to your original question), it is also really dangerous. This is called "security by obscurity", proven to be a disaster.
Please read this: http://en.wikipedia.org/wiki/Security_by_obscurity.
If you want to discuss security, feel free to ask a separate question.

As to your original question, I answered in full, please accept it formally (green "Accept" button). In all cases, your follow-up question will be welcome.

—SA

MrComputerWhiz 31-Oct-13 21:36pm

I totally agree. Trying to fake out hackers is the wrong way to go. However, this is no budget for moving the site to a different company, nor is there a budget for a complete site redesign. Thus, the most cost effective way currently is to try to fake out the hackers...

Side note.... I am a Hacker (not a Slacker).... Hackers in my terms is someone who is invited to break a system... Slacker is someone who tries to hack a system without permissions. Had the site been designed to work correctly, this would not have been an issue.

Unfortunately, the question still has not been answered (How do you make an ASPX page make an ASP.NET 404 error display versus an IIS 404 error message), thus no "Green Accept".

Sergey Alexandrovich Kryukov 31-Oct-13 23:37pm

No problem at all about "Accept". Thank you for sharing your views. I would reluctantly accept your explanation about budget if I understood what would be the alternative which would need more money. What makes you thinking that you need some security measures which would take "complete site redesign"? For me, it's just hard to imagine. Perhaps the site have some serious fault which I cannot picture. Usually security is applied only in few key points...
—SA