Following a request to generate a custom 404 message I added HandleURL to my web project
Function HandleURL(Request As WebRequest) As Boolean
If Request.Path <> "" then
Request.Print "<html><body>Custom URLs are not allowed</body></html>"
Request.Status = 200 // An HTTP Response code of 200 means everything is OK
Return True
End If
End Function
But for some reason, after a while I get a request to which gets caputured I get a Webrequest where the path is
In their world of ‘everyone is out to get me’’ they were complaining that we were not sanitising the URL’s before returning the 404. Apparently there is a possibility that the javascript is actually executed.
So, I just added a default message for all extra URLs, but for some reason I was getting session requests arriving there.
[quote=249177:@Lee Badham]Following a request to generate a custom 404 message I added HandleURL to my web project
Function HandleURL(Request As WebRequest) As Boolean
If Request.Path <> "" then
Request.Print "<html><body>Custom URLs are not allowed</body></html>"
Request.Status = 200 // An HTTP Response code of 200 means everything is OK
Return True
End If
End Function
But for some reason, after a while I get a request to which gets caputured I get a Webrequest where the path is
After this call I get a Javascript error (showing the custom html) in the web browser and have to refresh the web page.
Why am I getting session calls here?
Without have any custom HandleURL event handler, everything seems to work.
Lee[/quote]
This could happen if the browser that is making the request has a dead session. For instance, if the browser was offline for a period of time, your web app determined that it was no longer there and therefore ended the session. HandleURL doesn’t skip all runs of 32 characters, only the ones that are currently sessions.
It does not matter what the browser does. The server should correctly return a 404 status. That is what the protocol states and that is the best way to handle security.
As them to explain why you’d need to sanitise anything since you are using the sledgehammer approach by total ignoring the entire url in the request and returning a standard page html page no matter what is fired at your server??? Would love to hear their explanation of how the example will end up being run anywhere in your case.
[quote=249440:@Lee Badham]I’ve removed the handler. We’re getting lots of calls with /comm in them and trying to decide whether to handle it or not doesn’t seem reliable.
Logging calls to HandleURL seems to show that some times there are calls to HandleURL even before the first /
You can see from the log the third request is the one from /
This does not happen all the time though.[/quote]
Those must be from other browsers. You can’t have a session request before the initial / request unless the user presses refresh or leaves the app and comes back.