2

Is it secure to store username or password in web.config as the other parameters e.g. timeout period in ASP.NET MVC applications? If not, is it possible to make these parameters securable so that they cannot be encoded in the web.config file on the published server? On the other hand, would you suggest to store username, password and the other constant parameters in a Class (*.cs) file as static values? Could you please clarify me about which approach is better in order to store such parameters?

Murat Yıldız
  • 11,299
  • 6
  • 63
  • 63
  • [Encrypting app.config File](http://stackoverflow.com/questions/3349551/encrypting-app-config-file) – Steve Apr 07 '16 at 09:30
  • @Steve Thanks for your help. I meant the person who has access to the server to which the application is published with "they cannot be encoded in the web.config file on the published server". So, using the web.config option I need to use encryption something like you suggested. On the other hand, using a Class file option also seems to be good, but I think there is no need to create Resources project for a project that s not big. In that case, is it good idea to use just a Class file i.e. called Constant in order to store all the password or user parameters instead of web.config? – Murat Yıldız Apr 07 '16 at 10:23
  • Not really. NET code can be easily decompiled and also with some kind of obfuscation it is difficult to hide a constant string. Nothing is really secure if you cannot physically forbid the access to the computer where your code runs. At least there are some kind of encryption that are strong enough to keep onlookers at distance. All depends at how much secure you need to be. – Steve Apr 07 '16 at 10:40
  • @CodeCaster What about encrypting web.config file instead of using an extra file? – Murat Yıldız Feb 06 '17 at 07:03
  • 1
    See SCOTT HANSELMAN’s post [Best practices for private config data and connection strings in configuration in ASP.NET and Azure](https://www.hanselman.com/blog/BestPracticesForPrivateConfigDataAndConnectionStringsInConfigurationInASPNETAndAzure.aspx) – Michael Freidgeim Aug 18 '19 at 02:10

2 Answers2

2

You should never store sensitive data in source code. You can use the configSource attribute to replace the entire <connectionStrings> markup. 

<connectionStrings configSource="ConnectionStrings.config">
</connectionStrings>

ConnectionStrings.config should be in the same folder as Web.config. It's best to keep extension .config, as config files are not served by IIS. This file must be ignored by version control system.

https://www.asp.net/identity/overview/features-api/best-practices-for-deploying-passwords-and-other-sensitive-data-to-aspnet-and-azure

Sergei Shvets
  • 1,676
  • 1
  • 14
  • 12
1

check these links:

https://web.archive.org/web/20211020203213/https://www.4guysfromrolla.com/articles/021506-1.aspx

http://www.aspnettutorials.com/tutorials/advanced/encrypt-conn-str-asp4-cs.aspx

Better yet, do not use SQL Server Security and instead use Integrated Security and only allow the account your web app (pool) runs under to access the DB.

Prabhat Sinha
  • 1,500
  • 20
  • 32