The "&" character breaks passwords that are stored in the web.config

Question

I have an ASP.NET MVC3 C# .NET Application running on IIS 7.5.

We have a Windows NT service account we Impersonate in our code in order to read/write documents to a file share. The user id is compiled in the code and the service account password is stored in the web.config file.

The password contains an ampersand character (i.e.: p&ssword).

This broke the site. When accessing the site we received this error :"Sorry, an error occurred while processing your request".

Here is the code that uses the password:

    var password = ConfigurationManager.AppSettings.Get(Common.SVC_PWD);

    bool isSuccess = LogonUser(
        @"my_svc_acct",
        "my.domain.net",
        password,
        LOGON32_LOGON_NEW_CREDENTIALS,
        LOGON32_PROVIDER_DEFAULT, ref token
    );

Why would this cause the site to break?

I think because web.config is treated as an XML document - see here http://stackoverflow.com/questions/3824351/how-to-include-ampersand-in-connection-string-password-when-using-entity-framewo — Scott Selby, Jan 30 '13 at 15:45
My first guess is that the password in the config file is incorrect. But have you tried calling GetLastError (http://msdn.microsoft.com/en-us/library/windows/desktop/ms679360(v=vs.85).aspx) to see what the error is? I also have to add that storing a clear-text password in a configuration file is not a good idea; I'd encrypt it at a minimum. — Jeff Siver, Jan 30 '13 at 15:48

Rui Jarimba · Accepted Answer · 2017-03-28T08:57:55.867

172

I suspect that you didn't encode the password properly in the web.config file. Remember that web.config is a XML file, so entities must be encoded.

Instead of

my&password

try

my&amp;password

You can use sites such as FreeFormatter.com to escape/unescape XML strings.

edited Mar 28 '17 at 08:57

answered Jan 30 '13 at 15:45

Rui Jarimba

11,166
11
56
86

3

everyone how use it for URL be careful! URL with "&" is NOT the URL with "&". Don't forget to replace it by code before applying it for your URL address. I have fallen into this pitfall and dealt with a bug for whole day before finding the reason. – Mr.B Nov 28 '17 at 12:10

Kelsey · Answer 2 · 2013-01-30T15:53:27.733

64

You will need to put the encoded value in the web.config. It will read it out properly once you pull it but in the config file itself it needs to be encoded.

eg:

Password: your&password (what you expect)

Encoded version: your&password (what should be stored in your web.config)

Your wrapper method that reads out the value should unencode it automatically to your&password.

You will need to do this for all 'special' characters:

< = &lt;
> = &gt;
" = &quot;
' = &apos;
& = &amp;

edited Jan 30 '13 at 15:53

answered Jan 30 '13 at 15:47

Kelsey

47,246
16
124
162

1

I'm using VS2015 where & or & both results the same i.e "&" but i want "&" – Purushoth Sep 18 '17 at 13:27
Thanks. Working fine in VS2017+ – vibs2006 Feb 06 '21 at 18:47

score -1 · Answer 3 · answered Jan 30 '13 at 15:49

-1

store the password in the web.config using CDATA

replace the password with this

<![CDATA[MyPassw&rd]]>

answered Jan 30 '13 at 15:49

Scott Selby

9,420
12
57
96

9

Won't work: you can't put a CDATA section inside an attribute value. – Joe Mar 03 '13 at 19:30
3

Joe is correct this cannot be used in a config file as an attribute value – user99513 Sep 16 '17 at 14:52
1

@user99513 a tip: if you agree with someone's comment, you can just upvote his/her comment instead of writing a new comment mentioning only that you agree with the previous commenter. – user1451111 Dec 13 '19 at 04:55
6

I completely agree with @user1451111 – Halvard Jan 14 '20 at 14:28

The "&" character breaks passwords that are stored in the web.config

3 Answers3

Linked