469,613 Members | 1,342 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,613 developers. It's quick & easy.

security issue on error page with ASP code

I've inherrited an application that I have to both support and maintain
here at work but it comes with one very big headache...

The employees who use it are not allowed access to the server it's
requried to sit on which means that my username and password have to be
included in the logon.asp page which I HATE! So when this fails, it
publishes my usernanme and password on the screen for the user to
see...brilliant!

Since nobody is willing to create a dummy account is there a way that I
can keep that line of code from displaying if in error? I've added the
code to this thread...

thanks!!

<authentication mode="Windows"/Line 44: <!--<identity
impersonate="true"/>--Line 45: <identity impersonate="true"
userName="########" password="########"/>

Jul 10 '06 #1
1 1192
Pharoh wrote:
I've inherrited an application that I have to both support and
maintain here at work but it comes with one very big headache...

The employees who use it are not allowed access to the server it's
requried to sit on which means that my username and password have to
be included in the logon.asp page which I HATE! So when this fails, it
publishes my usernanme and password on the screen for the user to
see...brilliant!

Since nobody is willing to create a dummy account is there a way that
I can keep that line of code from displaying if in error? I've added
the code to this thread...

thanks!!

<authentication mode="Windows"/Line 44: <!--<identity
impersonate="true"/>--Line 45: <identity impersonate="true"
userName="########" password="########"/>
This looks like an extract from a web.config file, so you're not talking
about ASP: you are talking about ASP.Net:

There was no way for you to know it (except maybe by browsing through
some
of the previous questions before posting yours - always a recommended
practice), but this (I am posting this via .inetserver.asp.general) is
a classic asp newsgroup.
ASP.Net is a different technology from classic ASP.
While you may be lucky enough to find a dotnet-savvy person here who
can
answer your question, you can eliminate the luck factor by posting your
question to a newsgroup where the dotnet-savvy people hang out. I
suggest
microsoft.public.dotnet.framework.aspnet.

The answer of course is to use Try...Catch to handle all errors and
avoid the error page you are talking about.
Alternatively, you should turn off detailed errors in your production
web.config. Either:
<customErrors mode="On" />
or
<customErrors mode="RemoteOnly" />
cc and Followup-To set to microsoft.public.dotnet.framework.aspnet

--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.
Jul 10 '06 #2

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

9 posts views Thread by John Stemper | last post: by
2 posts views Thread by Joseph Geretz | last post: by
29 posts views Thread by Patrick | last post: by
5 posts views Thread by Norsoft | last post: by
5 posts views Thread by Henry Stock | last post: by
reply views Thread by gheharukoh7 | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.