security issue on error page with ASP code

[Pharoh]

I've inherrited an application that I have to both support and maintain
here at work but it comes with one very big headache...

The employees who use it are not allowed access to the server it's
requried to sit on which means that my username and password have to be
included in the logon.asp page which I HATE! So when this fails, it
publishes my usernanme and password on the screen for the user to
see...brilliant!

Since nobody is willing to create a dummy account is there a way that I
can keep that line of code from displaying if in error? I've added the
code to this thread...

thanks!!

<authentication mode="Windows"/> Line 44: <!--<identity
impersonate="true"/>--> Line 45: <identity impersonate="true"
userName="########" password="########"/>

 

[Bob Barrows [MVP]]

I've inherrited an application that I have to both support and
maintain here at work but it comes with one very big headache...

The employees who use it are not allowed access to the server it's
requried to sit on which means that my username and password have to
be included in the logon.asp page which I HATE! So when this fails, it
publishes my usernanme and password on the screen for the user to
see...brilliant!

Since nobody is willing to create a dummy account is there a way that
I can keep that line of code from displaying if in error? I've added
the code to this thread...

thanks!!

<authentication mode="Windows"/> Line 44: <!--<identity
impersonate="true"/>--> Line 45: <identity impersonate="true"
userName="########" password="########"/>

This looks like an extract from a web.config file, so you're not talking
about ASP: you are talking about ASP.Net:

There was no way for you to know it (except maybe by browsing through
some
of the previous questions before posting yours - always a recommended
practice), but this (I am posting this via .inetserver.asp.general) is
a classic asp newsgroup.
ASP.Net is a different technology from classic ASP.
While you may be lucky enough to find a dotnet-savvy person here who
can
answer your question, you can eliminate the luck factor by posting your
question to a newsgroup where the dotnet-savvy people hang out. I
suggest
microsoft.public.dotnet.framework.aspnet.

The answer of course is to use Try...Catch to handle all errors and
avoid the error page you are talking about.
Alternatively, you should turn off detailed errors in your production
web.config. Either:
<customErrors mode="On" />
or
<customErrors mode="RemoteOnly" />


cc and Followup-To set to microsoft.public.dotnet.framework.aspnet