What is the best practice to store application settings (such as user name and password, database location ...) in C# ?

Hint: I am new to .net and C#

+7  A: 

Application Configuration Settings that are application wide (non-user specific) belong in either app.config (for Desktop apps) or web.config (for Web apps).

Encrypting sections of a web.config file is quite simple as outlined in this Super Simple Example.

If you need to store User specific settings (like application settings, etc.) or Application wide settings not related to application configuration you can use a Settings file as described here:

User Settings in C#

Justin Niessner
ok , is it secure ? if yes how to use it ? thanks
Its not secure automatically, but you can encrypt configuration files and their sections in .NET. See my answer, I've provided some links showing this.

I think app.config (non web app) or web.config (web app).


First option is the registry. It is easy, but it is not too safe for passwords. Another option is using a file that you create. This too isn't safe, unless you want to implement cryption.

Next option is using the Application Settings. This is also quite simple, but there are a few catches. First, right click on your project and go to Properties. There, under the Settings tab, you can store variables to which you can access from your program by

string password = Properties.Settings.Default.Password

You can also change them the same way, but ONLY IF the scope is set the User. WHen the scope is application-wide, VS does not allow you to change these variables for some odd reason. To save changes, you must call Save() as follows:


These are saved in the User Data folder under C:\Documents and Settings\'Current User'\Local Settings\Application Data\

Another option would be to include them in your database, but since you are also storing your database location, this might not work for you.

There are few excuses to still be using the registry for new applications.
David Neale

These sorts of settings usually land in Application Configuration Files (web.config, app.config).

If you are storing passwords, you might also need to encrypt the configuration section in question.

Note if you use app.config, you will see it get renamed to ..config, depending on if your output produces a DLL or an EXE.


appsettings config file, ini file(nini), embeddable database(sqlite,berklydb/etc..),whatever method you like, it depends on your application size/performance consideration and design.

+3  A: 

I'm not sure what version of .net/Visual Studio it was introduced in, but you can right click on your project, choose 'Add New Item' and select 'Settings File' from the "Add New Item" window. This provides your project with a (named by default) Settings.settings file that you can configure all the settings you want to expose in.

You can define settings that you create to be either Application or User which means you can use this single interface to control global and user settings. Once you've created a setting in the Settings.settings file using the editor that Visual Studio provides, you can access it in code like this:

// Get a Setting value
var valueOfSetting1 = Settings1.Default.Setting1;

// Modify and save a Setting value
Settings1.Default.Setting1 = "New Value";

As with the above replies suggest, app.config or the web.config is the best place for app settings. If you need a more robust way of xml style tags for database, server settings and the like, you can use the configurationSection and create custom sections.

For database passwords, the way i do it is have an encrypted string in the xml tag value and decrypt then when reading them, that way you dont expose the passwords.