Click here to Skip to main content
13,358,079 members (57,161 online)
Click here to Skip to main content
Add your own
alternative version


61 bookmarked
Posted 25 Jan 2003

Enhanced and Secure Connection Strings in Web.Config

, 25 Jan 2003
Rate this:
Please Sign up or sign in to vote.
Here we would discuss some simple steps, which would facilitate keeping our database connection strings safe and encrypted in Web.Config.


In developing ASP.NET applications, we make heavy use of Web.Config to store and retrieve database connection strings. But we need to be aware of the fact that Web.Config is a simple XML text file and its contents are readable by any user having access to the the webserver's file system. Albeit the fact that accesses like http://localhost/deepak/web.config etc. are halted by the webserver with a message 'The type of page is not served', anybody with console access to the system can still open and read the database connection strings, which might contain the password to the database in an unencrypted manner.

Simple encryption

After a great deal of search in MSDN and other sites, I found a simple way to encrypt strings using a minimum of 8 character string (8 characters should be okay since even MSN Hotmail recommends a minimum of 8 character passwords for all accounts). Sections have been taken from ASPAlliance example but the method has been kept as a static method for the simple reason that you need not create object for every encryption and decryption strategy.

The attached example makes use of DESCryptoServiceProvider that is available in System.Security.Cryptography namespace.


For example sake, I have given both the key and the encrypted string in web.config. But for security reasons, it would be advisable to keep the key elsewhere in the file system and read the key dynamically from this file from the specified location. Additional care has to be taken that the place where we store the key is accessible only to System Administrators and other authorized personnel. With this strategy and trick in place, the database connection string could be made relatively safe for a particular web application.

How to use the example

Include the following two lines in web.config:

<add key="cKey" value="LavanyaDeepak"/>
<add key="cDb" value="C0AHny7FDFewTPE7eTp5RA=="/>

To any of your test applications, unzip the files in the archive (Cryptography.cs and Test.Aspx and Test.Cs). Include them in a project in Visual Studio .NET. Build the application and run test.aspx from the web browser.


I hope the above article would be very useful for .NET developers worldwide to make effective and secure use of database connection strings that are put in Web.Config. Many thanks to developers whose ideas and pieces of code have been helping me out in drafting these static methods.


This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


About the Author

Vasudevan Deepak Kumar
Software Developer
India India
Vasudevan Deepak Kumar is from Chennai, India who has been in the programming career since 1994, when he was 15 years old. He has his Bachelors of Engineering (in Computer Science and Engineering) from Vellore Engineering College. He also has a MBA in Systems from Alagappa University, Karaikudi, India.
He started his programming career with GWBasic and then in his college was involved in developing programs in Fortran, Cobol, C++. He has been developing in Microsoft technologies like ASP, SQLServer 2000.
His current focus is ASP.NET, C#, VB.NET, PHP, SQL Server and MySQL. In his past-time, he listens to polite Carnatic Music. But the big question is that with his current Todolist backlog, does he get some past time?

You may also be interested in...

Comments and Discussions

Generallogin.aspx Pin
Ajay Kale New27-Sep-10 1:06
memberAjay Kale New27-Sep-10 1:06 
GeneralDeveloper Caste System Pin
shitba13-Jan-06 6:12
membershitba13-Jan-06 6:12 
GeneralThe encryption code Pin
durayakar12-Nov-03 17:41
memberdurayakar12-Nov-03 17:41 
If you have deployed the encrypt/decrypt function/component on the web server, the person who hs access to your web site folder can add a very simple aspx page and/or piece of code to your web site and call the very same function to decrypt the connection string...

I also do not see any increased "security" by encrypting the connection string if the decryption code is on the same hosting environment... If the person has access to the web site folder, he has full access to the compiled and ready-to-use decryption code as well...

I also do not see any further security in the user access stuff... If the suspect has access to your web site folder, he will be able to run his code under your account, in other words under the very same identity that your web site code runs under...

So, this conection string will remain to be vulnerable to be compromised by the web site admin that has access to your web site folder directly.


Duray AKAR

Generalhmm ... Pin
krumpo28-Jan-03 1:52
memberkrumpo28-Jan-03 1:52 
GeneralRe: hmm ... Pin
Enki4230-Jan-03 15:10
memberEnki4230-Jan-03 15:10 
GeneralRe: hmm ... Pin
Deepak Kumar Vasudevan30-Jan-03 17:42
memberDeepak Kumar Vasudevan30-Jan-03 17:42 
GeneralRe: hmm ... Pin
Enki4231-Jan-03 2:22
memberEnki4231-Jan-03 2:22 
GeneralRe: hmm ... Pin
ThePhoenix8-Jul-03 23:20
memberThePhoenix8-Jul-03 23:20 
GeneralRe: hmm ... Pin
Anonymous22-Feb-05 11:27
sussAnonymous22-Feb-05 11:27 
GeneralRe: hmm ... Pin
Anonymous12-Oct-05 8:19
sussAnonymous12-Oct-05 8:19 
GeneralRe: hmm ... Pin
shahprabal4-Jan-06 8:26
membershahprabal4-Jan-06 8:26 
GeneralCool Idea Pin
Heath Stewart26-Jan-03 5:56
memberHeath Stewart26-Jan-03 5:56 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

Permalink | Advertise | Privacy | Terms of Use | Mobile
Web02 | 2.8.180111.1 | Last Updated 26 Jan 2003
Article Copyright 2003 by Vasudevan Deepak Kumar
Everything else Copyright © CodeProject, 1999-2018
Layout: fixed | fluid