newbie question: security of the web.config file

P

PJ6

Is it standard practice to store SQL login information in the web.config
file in plaintext?

Is this file sufficiently protected from the world in normal operation?

Paul
 
C

Curt_C [MVP]

PJ6 said:
Is it standard practice to store SQL login information in the web.config
file in plaintext?

Is this file sufficiently protected from the world in normal operation?

Paul

Many do. I dont if I can help it. I tend to use some encryption and have
a DLL in my app that has the key to decrypt. Of course this can all be
reversed without a good obfuscator.... but I'm digressing.
Yes it's done, but try not to use plain text if you can help it.
It's fairly secure from the outside, but not from anyone with server access.
 
S

Steve C. Orr [MVP, MCSD]

Yes, it is fairly standard practice to store SQL login information in the
web.config.
If you do this, I'd recommend also using a trusted connection so it isn't
necessary to store any passwords in the web.config.

Some web sites need extra tight security, in which case the web.config is
not suitable.
This article explains how to use the web.config for your connection string,
along with the registry and encryption to make sure everything is very
secure:
http://msdn.microsoft.com/library/d.../en-us/cpgenref/html/gngrfidentitysection.asp
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,483
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top