1

Actual question: Is it considered best practice to store clear text connection strings in a web.config file in an ASP.Net web application?

Background:
Currently developing a web application which I want to be able to install on different sites (where I will only have plain text editing). The application requires a number of different connection strings (which will obviously be different depending on which site the app is deployed on) so I want to be able to store all the connection strings (with usernames and passwords) in the web.config.

ChrisF
  • 134,786
  • 31
  • 255
  • 325
Rich
  • 3,781
  • 5
  • 34
  • 56

2 Answers2

3

The Best Practice is to Encrypt the Connection Strings . Refer This

Community
  • 1
  • 1
Kumar
  • 997
  • 5
  • 8
0

Will the sites be running on a windows domain? My preferred practice is to use integrated security, rather than usernames and passwords. In such a case, the app pool under which the site runs is set to run as a particular user. This is abstracted from the actual web code. In this case, you don't have to worry about encrypting user names and passwords. The server address is stored in clear text, but no passwords are... In the web config, add your connection strings to your connectionStrings element:

<connectionStrings>
  <add 
    name="MyDbConn" 
    Provider="System.Data.SqlClient" 
    connectionString="Server=MyDbServer; Integrated Security=SSPI; Initial Catalog=MyDb;" />
</connectionStrings>
essedbl
  • 520
  • 1
  • 7
  • 19
  • How would you handle this if the web server and db server weren't running on the same domain? Would it be possible? – Mike Cole Mar 17 '11 at 01:25