Which HTTP Status Codes to cover for MVC error handling

后端 未结 4 2191
甜味超标
甜味超标 2021-02-13 15:09

I\'m currently developing custom error pages in my error handling code for my MVC application. But I\'m unclear as to which HTTP status codes I\'m meant to cover.

相关标签:
4条回答
  • 2021-02-13 15:32

    An interesting question, IMHO.

    These three errors (403, 404 and 500) are the most common errors that can happen to the real user accessing your site with a standard browser.

    On other hand, the HTTP standard was written for both server and agent developers in order to define how both sides should operate. Naturally, the standard browsers like IE, Chrome, Firefox, etc. as well as the standard robots like Google or Bing bots correctly fulfill the requirements, but some proprietary written agent may send a malformed request, and the standard provides the set of codes the server should send in this situation. For example, if the Content-Length field is missed the server returns the error code 411. However, you shouldn't provide user-friendly pages for such a situation.

    The code 408 (Request timeout) is explained in the standard as following:

    "The client did not produce a request within the time that the server was prepared to wait. The client MAY repeat the request without modifications at any later time."

    and it also not a case you should make user-friendly page for.

    To make a long story short, don't worry :)

    0 讨论(0)
  • 2021-02-13 15:37

    I'm trying to find out the answer also. My code looks scarily like yours. This is a great question with so few views, I've set a bounty on this question. I myself have handled the following codes so far:

    <system.webServer>
      <!-- Custom error pages -->
      <httpErrors errorMode="Custom" existingResponse="Replace">
        <!-- Redirect IIS 400 Bad Request responses to the error controllers bad request action. -->
        <remove statusCode="400" />
        <error statusCode="400" responseMode="ExecuteURL" path="/error/badrequest" />
        <!-- Redirect IIS 401 Unauthorized responses to the error controllers unauthorized action. -->
        <remove statusCode="401" />
        <error statusCode="401" responseMode="ExecuteURL" path="/error/unauthorized" />
        <!-- Redirect IIS 403.14 Forbidden responses to the error controllers not found action. 
             A 403.14 happens when navigating to an empty folder like /Content and directory browsing is turned off
             See http://rehansaeed.co.uk/securing-the-aspnet-mvc-web-config/ and http://www.troyhunt.com/2014/09/solving-tyranny-of-http-403-responses.html -->
        <error statusCode="403" subStatusCode="14" responseMode="ExecuteURL" path="/error/notfound" />
        <!-- Redirect IIS 404 Not Found responses to the error controllers not found action. -->
        <remove statusCode="404" />
        <error statusCode="404" responseMode="ExecuteURL" path="/error/notfound" />
        <!-- Redirect IIS 500 Internal Server Error responses to the error controllers internal server error action. -->
        <remove statusCode="500" />
        <error statusCode="500" responseMode="ExecuteURL" path="/error" />
      </httpErrors>
    </system.webServer>
    

    My reasoning is as follows:

    • 400 - Controllers have the BadRequest() method built in and you may want to return this when a parameter passed to the action is invalid.
    • 401 - Applying the Authorize attribute to a controller or action causes a 401 Unauthorized response. Controllers also have the Unauthorized() method built in.
    • 403.14 - Redirect these to 404 Not Found responses as a Forbidden is just plain wrong (See Securing your web.config and Troy Hunt's blog for more information).
    • 404 - Thrown when the user browses to a page not found.
    • 500 - Thrown when something goes catastrophically wrong.

    Overall I feel you should handle those codes that you yourself are going to use. The problem is that IIS does all kinds of strange things and we need to handle some of it's incorrect or invalid responses such as the 403.14 I listed above.

    Here is a complete list of IIS HTTP Status Codes and Sub-Status Codes which might be useful to our cause. I have a feeling the 403 Forbidden response should also be supported as it seems to be a fairly prominent response thrown by IIS.

    One interesting thing I discovered while Googling is that navigating to:

    yoursite/<script></script>
    

    Returns a 500 Internal Server from IIS. I feel this should return a 404. The IIS error page does not tell us what the Sub-Status Code is and I would be interested to know how we can find out, so that we can redirect the 500.Something to a 404 Not Found page.

    Here is a link to the GitHub page for the ASP.NET MVC Boilerplate project, for which I am doing this research and where you can look at my code.

    0 讨论(0)
  • 2021-02-13 15:48

    Don't rely too much on http status codes.

    I have worked with a few bad web developers over the last couple of years that have incorrectly used them in their responses.

    I may look for codes within 200-299 for an indication of success. I may look for codes >500 to indicate a server failure.

    Beyond that, I use a selfish approach i.e. if you are making a request that your are expecting to have a package of data returned to you, then inspect the data. If there is no data or if the data is bad then I know for certain that there was a problem, because I didn't get what I needed to continue running my application in a nominal way.

    0 讨论(0)
  • 2021-02-13 15:50

    There may be another way: this solution uses 1 custom-error page to handle all types (I think?)

    [1]: Remove all 'customErrors' & 'httpErrors' from Web.config

    [2]: Check 'App_Start/FilterConfig.cs' looks like this:

    public class FilterConfig
    {
        public static void RegisterGlobalFilters(GlobalFilterCollection filters)
        {
            filters.Add(new HandleErrorAttribute());
        }
    }
    

    [3]: in 'Global.asax' add this method:

    public void Application_Error(Object sender, EventArgs e)
    {
        Exception exception = Server.GetLastError();
        Server.ClearError();
    
        var routeData = new RouteData();
        routeData.Values.Add("controller", "ErrorPage");
        routeData.Values.Add("action", "Error");
        routeData.Values.Add("exception", exception);
    
        if (exception.GetType() == typeof(HttpException))
        {
            routeData.Values.Add("statusCode", ((HttpException)exception).GetHttpCode());
        }
        else
        {
            routeData.Values.Add("statusCode", 500);
        }
    
        Response.TrySkipIisCustomErrors = true;
        IController controller = new ErrorPageController();
        controller.Execute(new RequestContext(new HttpContextWrapper(Context), routeData));
        Response.End();
    }
    

    [4]: Add 'Controllers/ErrorPageController.cs'

    public class ErrorPageController : Controller
    {
        public ActionResult Error(int statusCode, Exception exception)
        {
             Response.StatusCode = statusCode;
             ViewBag.StatusCode = statusCode + " Error";
             return View();
        }
    }
    

    [5]: in 'Views/Shared/Error.cshtml'

    @model System.Web.Mvc.HandleErrorInfo
    @{
        ViewBag.Title = (!String.IsNullOrEmpty(ViewBag.StatusCode)) ? ViewBag.StatusCode : "500 Error";
    }
    
    <h1 class="error">@(!String.IsNullOrEmpty(ViewBag.StatusCode) ? ViewBag.StatusCode : "500 Error"):</h1>
    
    //@Model.ActionName
    //@Model.ContollerName
    //@Model.Exception.Message
    //@Model.Exception.StackTrace
    
    0 讨论(0)
提交回复
热议问题