views:

237

answers:

3

My server returns a 403 forbidden error when a user tries to access a resource that they do not have access to. Along with the header the server also writes a small message describing the error.

In Firefox the error message gets displayed nicely and the user knows what's going on.

In Internet Explorer the message is hidden and replaced with the 403 Forbidden standard error page.

Are there any specific rules that allow me to display an error message across all browsers while still setting the status to 403 Forbidden?

Here is the RFC info on this status:

The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. If the server does not wish to make this information available to the client, the status code 404 (Not Found) can be used instead.

It seems like I should be setting a message but IE just won't display it.

A: 

The implementation of error handling is browser dependent. In HTTP if you are just going to return a 403 error then you have to rely on the user agent (the technical name for the browser, the recipient of your error message may not be a browser) to handle out how it sees fit.

If you don't like how the browsers are handling 403 errors and want to ensure a consistent user experience across all browsers then redirect the user to your own 'permission denied' page. You can build a page that can explain to them why permission was denied and what they might be able to do about it. And it will be consistent for any browser.

james
+1  A: 

Try making your 403 page larger (i.e. more bytes). Some browsers assume that a short error page is the default page from the web server and decide to show their own, presumably more helpful text.

More info.

Jeremy Stein
Thanks, this is correct! I eventually figured this out myself last night. I just added an extra long comment to the end of the body. Sometimes IE makes me mad.
Peter D
A: 

to fix, see this topic.. put it on google traductor and enjoy: http://lucasmsantini.blogspot.com/2010/09/iis-7-e-o-http-error-40314.html