Click here to Skip to main content
14,365,608 members
Rate this:
Please Sign up or sign in to vote.
See more:
Name and password information should not be included in a configuration file in plaintext as this will allow anyone who can read the file access to the resource.
    
I want to Encrypt the config file and How to avoid Hardcoded password in Config file?

What I have tried:

<pre><connectionStrings>    
<addname="cs"connectionString="DataSource=myServerAddress;Initial Catalog=myDataBase;User Id=myUsername;Password=XXSDFASFDKD;"/>
</connectionStrings>
Posted
Updated 15-Mar-19 4:09am
v2
Comments
Richard MacCutchan 15-Mar-19 7:57am
   
What is the question?
Jawaharjak 15-Mar-19 8:17am
   
I want to Encrypt the config file and How to avoid Hardcoded password in Config file?
ZurdoDev 15-Mar-19 8:40am
   
If you google how to encrypt web.config, you'll find a ton of articles on how to do it.
Rate this:
Please Sign up or sign in to vote.

Solution 3

This is not a serious issue, unless you are allowing everybody to see what is written in the file.
<connectionStrings>    
    <addname="cs"connectionString="DataSource=myServerAddress;Initial Catalog=myDataBase; User Id=myUsername; Password=XXSDFASFDKD;"/>
</connectionStrings>
The problem with this approach can come, when you either store these values inside your version control, or you allow everybody to read your production configurations.

I have used some other methods to overcome this problem. Most of the cloud based (and others too) hosting solutions provide environment configuration settings. You can use either that, or you can rewrite the configuration files upon deployment, something like this, https://docs.microsoft.com/en-us/previous-versions/aspnet/dd465326(v=vs.110), or you can use naming convention like web.config and web.Release.config. This way, you will only check-in web.config, and keep the web.Release.config version somewhere safe—if you of course don't trust your developers.

What I did was, I loaded these values on runtime using environment variables, and forwarded them to the type loaders and initializers. This way, I had the production values configured only on the hosting service, and local engineers only see their own system-level configurations. Other than that, there is no problem, and remember, encryption will only exaggerate the problem, instead of solving ittry it to experience it.

Check out this video to understand how, https://www.youtube.com/watch?v=MkcsbM7_2aE
   
v2
Rate this:
Please Sign up or sign in to vote.

Solution 2

This how we do it. All web applications that connect to a db use windows authentication. We create a service account that the application runs under. This is configured in the application pool assigned to the web application.
   

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)




CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100