tags:

views:

328

answers:

4
+4  Q: 

What is the best practise for storing database connection details in .NET?

This might be a duplicate (question) but I am looking specifically for the .NET best practise.

How to store database connection strings, username and password etc. in a safe way? Is an encrypted app.config best in most cases?

I would also like to be able to set the password in the config file and then have it encrypted as soon as the application starts. (I am not asking for a solution as I have solved this before, I'm just looking for best practise(s)).

I'm also interested in alternative solutions that you have good experiences with.

+6  A: 

I think the best practice is to use integrated security if possible, for 2 reasons... It is the easiest solution to manage and it is the easiest solution to get right.

If for some reason you can't use integrated security and you have to use username and password encrypt them using something like the Enterprise Library's Config Manager to encrypt sections of your web.config.

JohannesH  2009-08-14 10:43:52
this is the best approach and widley followed....
Ramesh Vel  2009-08-14 11:12:56
Thanks, I have never used the Enterprise Library before, I will check it out.
Ezombort  2009-08-14 11:16:48
Connections are pooled according to the connection string plus the user identity. Using Integrated Security could result in Connection Pool Fragmentation. (http://msdn.microsoft.com/en-us/library/8xx3tyca.aspx).
Vasu Balakrishnan  2009-08-14 20:49:28
@Vasu - I wasn't aware of that problem but I guess this is most important for Windows Apps since ASP.NET applications usually connects with the same user (i.e. the worker process identity).
JohannesH  2009-08-15 04:48:57
+4  A: 

There are several things that we should know about protecting connection strings: http://msdn.microsoft.com/en-us/library/89211k9b.aspx

In my view the best way to store them (the one that combines flexibility and security) is "Encrypting Configuration File Sections Using Protected Configuration": http://msdn.microsoft.com/en-us/library/ms254494.aspx

DmitryK  2009-08-14 11:05:24
+1  A: 

That would be web.config. You can encrypt the connection string if secrity is a concern.

Bhaskar  2009-08-14 11:12:55
A: 

Something that I have found to be useful lately, is Microsoft's Single Sign On service. If you need to use SQL Authentication, you can store the actual credentials in an encrypted database.

Chrisb  2009-08-14 15:11:43

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?