Whats the preferred file (and why do you prefer it) to store database connection strings in an ASP.Net application, where security is the primary issue?
Thanks
+3
A:
The preferred way? Don't!
Used a trusted connection and Windows principal.
In connection string, either:
Trusted_Connection = Yes
or
Integrated Security = SSPI (or True)
Mitch Wheat
2009-08-09 03:42:44
`Integrated Security=SSPI` ftw.
Eric
2009-08-09 03:45:42
but where would you store the connection string?
Csharp
2009-08-09 03:55:54
in your app.config
Mitch Wheat
2009-08-09 03:56:28
Mitch... why would you store it in app.config?
Csharp
2009-08-09 03:57:20
i think Mitch meant web.config and perhaps missed that you're doing ASP.Net and not a thick client.
Paul Sasik
2009-08-09 04:12:48
sorry, I did mean web.config
Mitch Wheat
2009-08-09 05:18:39
+1
A:
You can store the connection strings in your <connectionStrings> section of web.config, and then encrypt that section by using aspnet_regiis (in your C:\Windows\Microsoft.NET\Framework\v2.0.50727 directory):
aspnet_regiis.exe -pef "connectionStrings" C:\yourproject\YourWebSite
aspnet_regiis has a multitude of config parameters - the -pef allows you to specify the physical path where your website project is (and find the web.config file in that path and encrypts the connectionStrings section inside it).
Or you could also possibly store things like server name (and database name, if that's configurable and could change) separately, in a config, and only build up your connection string at runtime in memory and never even store the whole connection string anywhere. But as soon as you have sensitive information like this, stored in a config file, you are well advised to encrypt it.
Marc
marc_s
2009-08-09 13:56:03