Encrypt and decrypt connectionstrings in web.config

D

DavidE

Hi,

I use the code below to encypt and decrypt connectionstrings in the
web.config files.
It works good but I don't understand somthing about the decryption. An
hacker that gain the web.config file with the encrypted data, can copy it to
a new web site that he created and use this line of code
section.SectionInformation.UnprotectSection() and so get the connectionstring
in plain text .I tried it. I copyed the web config to a new web site and then
used this line of code and I got the original connectionstring. !!!!
Am I right ? If I am, It is not a security solution.


public void EncryptConnString()
{
Configuration config =
WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);
ConfigurationSection section = config.GetSection("connectionStrings");
if (!section.SectionInformation.IsProtected)
{

section.SectionInformation.ProtectSection("RsaProtectedConfigurationProvider");
config.Save();
}
}


public void DecryptConnString()
{
Configuration config =
WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);
ConfigurationSection section = config.GetSection("connectionStrings");
if (section.SectionInformation.IsProtected)
{
section.SectionInformation.UnprotectSection();
config.Save();
}
}


Thanks,

David
 
V

venkat athota

hi David
i have seen you your post and you said it works good. but i am also same thing as you do but it fails for me.
actually i am using another config file and it has connectionstrings section to be encrypted. so i want to know what should be the virtual path to be given.

my project name is masterpages and file name is commonconnstring.config. can you tell me what would the virtual path for this file.

here is my code

Private Sub EncryptConnString()

Dim config = WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath & "/commonconnstring.config")

Dim section = config.GetSection("connectionstrings")



If (Not section.SectionInformation.IsProtected) Then
section.SectionInformation.ProtectSection("RsaProtectedConfigurationProvider")
config.Save()



End If

End Sub


i appreciate for your reply

thank you



David wrote:

Encrypt and decrypt connectionstrings in web.config
18-Jul-07

Hi

I use the code below to encypt and decrypt connectionstrings in the
web.config files
It works good but I don't understand somthing about the decryption. An
hacker that gain the web.config file with the encrypted data, can copy it to
a new web site that he created and use this line of code
section.SectionInformation.UnprotectSection() and so get the connectionstring
in plain text .I tried it. I copyed the web config to a new web site and then
used this line of code and I got the original connectionstring. !!!
Am I right ? If I am, It is not a security solution

public void EncryptConnString(

Configuration config =
WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath)
ConfigurationSection section = config.GetSection("connectionStrings")
if (!section.SectionInformation.IsProtected


section.SectionInformation.ProtectSection("RsaProtectedConfigurationProvider")
config.Save()



public void DecryptConnString(

Configuration config =
WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath)
ConfigurationSection section = config.GetSection("connectionStrings")
if (section.SectionInformation.IsProtected

section.SectionInformation.UnprotectSection()
config.Save()

}


Thanks

David

Previous Posts In This Thread:

Encrypt and decrypt connectionstrings in web.config
Hi

I use the code below to encypt and decrypt connectionstrings in the
web.config files
It works good but I don't understand somthing about the decryption. An
hacker that gain the web.config file with the encrypted data, can copy it to
a new web site that he created and use this line of code
section.SectionInformation.UnprotectSection() and so get the connectionstring
in plain text .I tried it. I copyed the web config to a new web site and then
used this line of code and I got the original connectionstring. !!!
Am I right ? If I am, It is not a security solution

public void EncryptConnString(

Configuration config =
WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath)
ConfigurationSection section = config.GetSection("connectionStrings")
if (!section.SectionInformation.IsProtected


section.SectionInformation.ProtectSection("RsaProtectedConfigurationProvider")
config.Save()



public void DecryptConnString(

Configuration config =
WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath)
ConfigurationSection section = config.GetSection("connectionStrings")
if (section.SectionInformation.IsProtected

section.SectionInformation.UnprotectSection()
config.Save()

}


Thanks

David


Submitted via EggHeadCafe - Software Developer Portal of Choice
C# And The Little Iterator That Could
http://www.eggheadcafe.com/tutorial...32-0ae26adaa533/c-and-the-little-iterato.aspx
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

several questions on encrypting the web.config file via VB code 0
Encrypting web.config file 2
AspNet_RegIIS ...encrypting web.config when running Cassini 2
Encrypt 2
Encrypt and Decrypt ConnectionString inside web.config... 4
Cannot encrypt custom section in web.config 3
Encrypt connectionstring in web.config 1
Unable to encrypt some sections in web.config 2

Staff online

Members online

Total: 24 (members: 2, guests: 22)
Robots: 182

Forum statistics

Threads
473,755
Messages
2,569,534
Members
45,007
Latest member
obedient dusk

Latest Threads

Top