Saturday, April 26, 2008

Is it really required to show the User Name and Password in ASP.NET Error Page?

I got the following ASP.NET error when I was browsing a local web site. The error is due to ASP.NET cannot authenticate using the User Name and password in the impersonate tag. Ther real issue is not the windows authentication problem. Because the reason for the error could be the domain server is down or the administrator has used an incorrect user name and password in the web.config.

But is it sill good to show the User Name and Password in the error message? You can argue that the developer has switched on CUSTOM ERROR MESSAGES and he has forgotten to switch it off at the time of deployment. But still is it really required to show the whole user name and password in the error? If the necessary ports are not secured, someone can easily login to the server and mess up the server very easily. (In this case only the port 80 and 21 is open and this user won't have permission for FTP.)

mydaylk-aspnet-error-2.PNG

No comments: