Database username and password in web.config

Discussion in 'ASP .Net' started by J.S., Aug 28, 2005.

  1. J.S.

    J.S. Guest

    Is it safe to have the database username and password in the web.config
    file?

    Thanks,
    J.S.

    --
     
    J.S., Aug 28, 2005
    #1
    1. Advertising

  2. Hi JS,

    ..config will not be served to the client by ASP.NET by default. So your
    application users won't be able to access them off the browser.

    If a person has a login, access to the application's web server and enough
    privilages on the folder, he could access the web.config files. If you want
    to prevent this too, you have different options. These links might help.
    Using DPAPI:
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT08.asp

    Using Registry:
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT11.asp

    You could also just encrypt the string and store it in .config.

    --
    HTH,
    Rakesh Rajan
    MVP, MCSD
    http://www.msmvps.com/rakeshrajan/



    "J.S." wrote:

    > Is it safe to have the database username and password in the web.config
    > file?
    >
    > Thanks,
    > J.S.
    >
    > --
    >
    >
    >
     
    =?Utf-8?B?UmFrZXNoIFJhamFu?=, Aug 28, 2005
    #2
    1. Advertising

  3. What do you mean with safe: safe from who?

    If you mean safe from anonimous web visitors: yes.
    If you mean safe from administrator:no.
    If you mean safe from hackers who managed to get access to your
    webserver: without encryption: no...

    Perhaps you can tell more?

    Marcel van eijkel
    ( www.vaneijkel.com )
     
    Marcel van eijkel ( www.vaneijkel.com ), Aug 28, 2005
    #3
  4. J.S.

    J.S. Guest

    Hi Marcel,

    I think I did not frame my question well. What I would like to know is:
    what is the best way to store database connection information (i.e. SQL
    server address, username, password, database name) in ASP.Net 2.0?

    Thanks,
    J.S.

    --

    "Marcel van eijkel ( www.vaneijkel.com )" <> wrote
    in message news:...
    > What do you mean with safe: safe from who?
    >
    > If you mean safe from anonimous web visitors: yes.
    > If you mean safe from administrator:no.
    > If you mean safe from hackers who managed to get access to your
    > webserver: without encryption: no...
    >
    > Perhaps you can tell more?
    >
    > Marcel van eijkel
    > ( www.vaneijkel.com )
    >
     
    J.S., Aug 28, 2005
    #4
  5. J.S.

    J.S. Guest

    Hi Rakesh,

    Thanks for your response. I know .config files do not get served by ASP.Net
    but I don't know what the best method to store connection information is. I
    was planning to encrypt the string and store it in the .config file, as you
    have suggested, but I wanted to know what more experienced users such as
    yourself consider to be the best way to store this information where a) one
    has full access to the web server and b) where one is on shared hosting.

    I'll check out the links you have mentioned for using DPAPI and the
    Registry.

    Thanks,
    J.S.

    --

    "Rakesh Rajan" <rakeshrajan {at} mvps {dot} org> wrote in message
    news:...
    > Hi JS,
    >
    > .config will not be served to the client by ASP.NET by default. So your
    > application users won't be able to access them off the browser.
    >
    > If a person has a login, access to the application's web server and enough
    > privilages on the folder, he could access the web.config files. If you
    > want
    > to prevent this too, you have different options. These links might help.
    > Using DPAPI:
    > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT08.asp
    >
    > Using Registry:
    > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT11.asp
    >
    > You could also just encrypt the string and store it in .config.
    >
    > --
    > HTH,
    > Rakesh Rajan
    > MVP, MCSD
    > http://www.msmvps.com/rakeshrajan/
     
    J.S., Aug 28, 2005
    #5
  6. J.S.

    jasonkester Guest

    With shared hosting, you're basically limited to compiling your
    connection information into the .dll or using .config files. Neither
    one works particularly well if you want to be able to deploy to
    multiple environments with multiple database servers. In your case,
    web.config seems fine.

    Jason Kester
    Expat Software Consulting Services
    http://www.expatsoftware.com/
     
    jasonkester, Aug 29, 2005
    #6
  7. J.S.

    J.S. Guest

    Thanks, Jason!

    J.S.

    --

    "jasonkester" <> wrote in message
    news:...
    > With shared hosting, you're basically limited to compiling your
    > connection information into the .dll or using .config files. Neither
    > one works particularly well if you want to be able to deploy to
    > multiple environments with multiple database servers. In your case,
    > web.config seems fine.
    >
    > Jason Kester
    > Expat Software Consulting Services
    > http://www.expatsoftware.com/
    >
     
    J.S., Aug 29, 2005
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. nemo

    Username/Password in Web.config

    nemo, Apr 20, 2006, in forum: ASP .Net
    Replies:
    0
    Views:
    555
  2. CSharpner
    Replies:
    0
    Views:
    1,111
    CSharpner
    Apr 9, 2007
  3. Shailesh Patel
    Replies:
    0
    Views:
    483
    Shailesh Patel
    Nov 8, 2006
  4. Andrew Jocelyn
    Replies:
    0
    Views:
    689
    Andrew Jocelyn
    Nov 29, 2008
  5. Andrew Jocelyn
    Replies:
    1
    Views:
    3,065
    Steven Cheng
    Dec 3, 2008
Loading...

Share This Page