Forbidden access tubecast1/31/2024 I do agree that you probably don't want to just send the default page to the user. Show customizes error messages which the user can easily understand and also does not expose any security structure of your application.īottom line - Any kind of errors must be handled and customized before informing the user. Always think in the user's perspective when you prepare the error messages. So that he will at least know what is happening.Įrror handling is the solution for your problem. If you really want to redirect him somewhere, show him a a neat customized message and then redirect him. When user tries to access something and it redirects him straight to the Home page or any other page, it will spoil the usability and the users interest in your application. To answer your second question, Redirecting to some other page does not seem to be a good user friendly idea. There is a fair chance of getting exposed if he finds out the security patterns in your application because the attacks he tries to break your application will be accurate or at least a bit more specific. On the other hand if the user is a technical person (lets say a bad one), there is a chance for him to get the glimpse or an overall idea of your security structure of your application. He will not know what to do solve the error which he dint understand. If the user is a non-technical person, this kind of error messages can highly annoy him with all the technical stuff in it. It has both security and user experience issues. Showing a default error page that has the exact technical details in it is not a good practice. To answer your first question, It is not good to show this error to the end user. This will provide additional security that the person is truly who they claim to be when accessing the protected resource. If this is an extremely sensitive resource, consider segregating it and require dual-factor authentication. So continue to return a 403 but don't include verbose diagnostic information. Again, a 403 just means you're unauthorized to view a particular resource after successfully logging in. However, a 403 is much different from a server error such as an HTTP 500 where interesting information is printed to the screen. While many have commented on turning off detailed error messages, I would agree that this is a best practice. Hopefully the authorization process is robust enough to thwart further damage (i.e. In your scenario, the "bad guys" have already logged in successfully. If the user legitimately needs access, the helpdesk ticket can be quickly processed knowing they're getting a 403.active directory), this provides the necessary information for the user that perhaps they logged in with the wrong account and should try another. For systems with multiple accounts (i.e.However I would advise against that since returning a 403 provides the following benefits: Per RFC2616, an HTTP 404 could be used instead. Yes, all it means is that authentication was successful but the account is not authorized to view this resource.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |