hi folks,
Just wandering if its a good idea to put username and password in the application settings?
If not where is the best place to store these?
--Jonesy
+1
A:
Since web.config is a protected file there will be no direct access to it. You will probably be fine storing your connection credentials there.
However - You can go a bit further and encrypt the appSettings in your web.config
Walkthrough: Encrypting Configuration Information Using Protected Configuration
Morten Anderson
2010-04-06 08:39:08
thanks web.conf is good enough. I actually though you had access to web.conf?
iamjonesy
2010-04-06 08:42:21
A:
Configuration files will be an ideal place for keeping the details about the database credential.But if you are worried about its security as its stored in plain text , then in asp.net you can encrypt a particular section of your webconfig file.Encyption can be done either by making use of aspnet_regiis.exe utility by providing relevant command line arguments.Otherwise encryption can also be done through code with the help of "WebConfigurationManager" class.Also You don’t need to unprotect a section in order to read the configuration settings in that section, the runtime will perform the decryption necessary for your application to read the plain text values.
E.g :- aspnet_regiis.exe
C:\>aspnet_regiis -pdf "connectionStrings" "C:\Projects\My Site"
here pdf argument is used to specify file path.
E.g :- Using WebConfigurationManager
protected void toggleEncryption(object sender, EventArgs e)
{
Configuration config;
config = WebConfigurationManager.OpenWebConfiguration("~");
ConnectionStringsSection section;
section = config.GetSection("connectionStrings")
as ConnectionStringsSection;
if (section.SectionInformation.IsProtected)
{
section.SectionInformation.UnprotectSection();
}
else
{
section.SectionInformation.ProtectSection(
"DataProtectionConfigurationProvider");
}
config.Save();
WriteMessage("connections protected = " +
section.SectionInformation.IsProtected);
}
Pawan Mishra
2010-04-06 09:08:02