CodeProject: Enhanced and Secure Connection Strings in Web.Config. Free source code and programming help

Report Article

Discuss

Send to a friend

27 votes for this Article.

Popularity: 3.60 Rating: 2.51 out of 5

Download sample - 1.89 Kb

Introduction

In developing ASP.NET applications, we make heavy use of Web.Config to store and retrieve database connection strings. But we need to be aware of the fact that Web.Config is a simple XML text file and its contents are readable by any user having access to the the webserver's file system. Albeit the fact that accesses like http://localhost/deepak/web.config etc. are halted by the webserver with a message 'The type of page is not served', anybody with console access to the system can still open and read the database connection strings, which might contain the password to the database in an unencrypted manner.

Simple encryption

After a great deal of search in MSDN and other sites, I found a simple way to encrypt strings using a minimum of 8 character string (8 characters should be okay since even MSN Hotmail recommends a minimum of 8 character passwords for all accounts). Sections have been taken from ASPAlliance example but the method has been kept as a static method for the simple reason that you need not create object for every encryption and decryption strategy.

The attached example makes use of DESCryptoServiceProvider that is available in System.Security.Cryptography namespace.

Enhancement

For example sake, I have given both the key and the encrypted string in web.config. But for security reasons, it would be advisable to keep the key elsewhere in the file system and read the key dynamically from this file from the specified location. Additional care has to be taken that the place where we store the key is accessible only to System Administrators and other authorized personnel. With this strategy and trick in place, the database connection string could be made relatively safe for a particular web application.

How to use the example

Include the following two lines in web.config:

         <add key="cKey" value="LavanyaDeepak"/>
         <add key="cDb" value="C0AHny7FDFewTPE7eTp5RA=="/>

To any of your test applications, unzip the files in the archive (Cryptography.cs and Test.Aspx and Test.Cs). Include them in a project in Visual Studio .NET. Build the application and run test.aspx from the web browser.

Conclusion

I hope the above article would be very useful for .NET developers worldwide to make effective and secure use of database connection strings that are put in Web.Config. Many thanks to developers whose ideas and pieces of code have been helping me out in drafting these static methods.

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here

About the Author

Vasudevan Deepak Kumar

Vasudevan Deepak Kumar is from Chennai, India who has been in the programming career since 1994, when he was 15 years old. He has his Bachelors of Engineering (in Computer Science and Engineering) from Vellore Engineering College (now VIT University). He also has a MBA in Systems from Alagappa University, Karaikudi, India.

He started his programming career with GWBasic and then in his college was involved in developing programs in Fortran, Cobol, C++. He has been developing in Microsoft technologies like ASP, SQLServer 2000. For sometime, he has also been with PHP and MySQL based development in one of his previous organizations. Now currently his focus is on Microsoft .NET World (ASP.NET, C# and Whidbey)

In his past-time, he listens to polite Carnatic Music.

Web Presence

Homepage

http://www.lavanyadeepak.tk/

Blogs

Technical

namespace LavanyaDeepak

LavanyaDeepak 2.0

Daffodilnet Express

Gossips

A Personal Weblog

The World of Deepak and Lavanya

Views and Reviews

Spiritual

Sri Vaishnava Network

Occupation:	Web Developer
Location:	India

Other popular Web Security articles:

Role-based Security with Forms Authentication
Provides insight and tips on using role-based (groups) Forms Authentication in ASP.NET, which has only partial support for roles.
Switching Between HTTP and HTTPS Automatically: Version 2
An article on automatically switching between HTTP and HTTPS protocols without hard-coding absolute URLs
Cookieless ASP.NET forms authentication
They say it is not possible to use cookieless forms authentication in .NET. Well it is, and relatively easy to accomplish!
Single sign-on across multiple applications in ASP.NET
By default, Forms authentication does not support single sing-on accross multiple applications. But is not too complicated to tweak it the appropriate way.
HttpSecureCookie, A Way to Encrypt Cookies with ASP.NET 2.0
Discussing how to encode and tamper-proof text and cookies using the MachineKey, by using reflection.