I'm considering using FormsAuthentication in my web app. Just how secure is it to specify the users in the web.config that are allowed to use the application?
Here is an example of what I am talking about:
<authentication mode="Forms">
<forms loginUrl="TestLogin.aspx" slidingExpiration="true" timeout="30">
<credentials>
<user name="test" password="password"></user>
</credentials>
</forms>
</authentication>
I think it's fine for little simple sites. But I would certainly encrypt the passwords, like this:
<credentials passwordFormat = "SHA1">
<user name="UserName1" password="SHA1EncryptedPassword1"/>
<user name="UserName2" password="SHA1EncryptedPassword2"/>
<user name="UserName3" password="SHA1EncryptedPassword3"/>
</credentials>
More information on this here: http://msdn.microsoft.com/en-us/library/e01fc50a.aspx
By default, IIS will not serve any file that ends in a .config extension, so as long as you trust anyone who has access to manage your web server, you should be fine.
Think of it this way: most people store database connection information in their web.config files already, so if you have your users defined in a database, it's just one step away from being compromised anyway.
If you've only got a few users to deal with, and their credentials don't change often, you should be fine using web.config to store your users. It's probably a good idea to not store your users' passwords in plain text though. If you're super paranoid, have a look into encrypting the authentication section of your web.config file: http://www.codeguru.com/csharp/.net/net_asp/miscellaneous/print.php/c13663.