Internet Explorer Subverts Error Messages

by William Crawford

Most users and developers are familiar with the standard HTTP error messages, particularly the infamous 404 and the almost-as-infamous, at least in web applications, 500, the dread Internal Server Error. Most web development environments let you override the standard web server error messages with your own versions, providing more (and less incongrous) information to the user. For any application, particularly when you make a conscious decision to present the error, this seems like a good idea. At the very minimum, it makes log analysis and error pinpointing that much easier.

The team desiging the Microsoft Exchange Web Access server gets this; but the IE folks don't. This morning I tried to log in to an Exchange Web Mail environment for the first time. I did this in IE, and after entering my login information incorrectly I got a 403 (Unauthorized) error, which made sense. But after entering them properly I got a generic IE 500 error, indicating some internal crisis the system was not going to describe to me in any greater level of detail.

For some reason I decided to try it in Netscape (partially because I was curious whether the Exchange Web Mail function would even work with Netscape), and instead of the generic 500 got a message indicating that my account had been locked out and couldn't be accessed. This made perfect sense, but all IE had done was blame Exchange for some internal collapse (and not set me on the way to resolving the problem).

It turns out I hadn't disabled IE's "Friendly Error Messages", which replace whatever the server provides with a more helpful version. This is fine when the error message is an unhelpful server default, but when the application is using the messages as to provide information on valid modes of operation. Sure enough, once I turned this off (it's on by default) I got the same message in IE as in Netscape.

So that's today's bit of web development wisdom: don't override the standard error codes for your own application. Use regular (response 200) pages with error messages instead. It's supposed to work, and you're supposed to be able to do it, but all you'll really manage is to confuse 80% of the browsing public. I'm actually not convinced that "Friendly Error Messages" are a bad idea, since most sites don't provide enhanced error messages and the web server defaults aren't generally that helpful for less technically inclined users. But that's neither here nor there, since the going-forward assumption has to be that they'll be there, and developers will have to work around them.

Anything else like this?


2002-09-11 14:11:50
Disabling Friendly Error Messages
I vaguely remember from somewhere that if you make the error page bigger than a certain size, IE won't show a friendly error message. I've never tested this theory though.
2002-09-11 15:05:02
Disabling Friendly Error Messages
That might be worth testing. The Exchange Web Access error message was user-interface free: just a single line of text and bare-bones HTML wrapping around it.
2002-09-11 17:37:27
FYI: Turning off friendly...
If anyone wants to turn off this "helpful" feature in IE, it's under (menu)Tools->(menupick)Internet Options->(tab)Advanced->(grouping)Browsing->(checkbox)Show friendly HTTP error messages.
2002-10-02 07:33:55
You shouldn't send a 200 status, instead....
By always returning a status of 200 you'd be making a website that didn't comply with the HTTP RFC. IE overrides several HTTP error status pages but it has a size threshold. Basically if the error page send by the server has a large enough body then IE decides it's meaningful and displays it.

Usually to be safe you should make error pages that are larger then 512 bytes. The threshold varies per HTTP status code. You can look at what your thresholds are currently set to. In IE 5 and greater the settings are stored in the registry under[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\ErrorThresholds]

Err Size(bytes)
400 512
403 256
404 512
405 256
406 512
408 512
409 512
410 256
500 512
501 512
505 512

2003-05-06 11:43:40
easy workaround
better late than never:

make sure the login page is a decent size, stick a graphic in it, that way IE thinks its a 'custom error page' and displays it.

-jeb richter

2005-05-05 14:33:54
You shouldn't send a 200 status, instead....
2 b honest Iam not a guru of computers but I do have abig issue w/ those HTTP 500 error that r driving me crazy n I dont know how to correct this I will really appreciate any help, thanks owner.