Wrox Programmer Forums
|
BOOK: ASP.NET Website Programming Problem-Design-Solution
This is the forum to discuss the Wrox book ASP.NET Website Programming: Problem - Design - Solution, Visual Basic .NET Edition by Marco Bellinaso, Kevin Hoffman; ISBN: 9780764543869
Welcome to the p2p.wrox.com Forums.

You are currently viewing the BOOK: ASP.NET Website Programming Problem-Design-Solution section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
 
Old March 16th, 2004, 12:20 PM
Authorized User
 
Join Date: Mar 2004
Posts: 16
Thanks: 0
Thanked 0 Times in 0 Posts
Default security - xml connection string

I have a question about using this website as a model for a public website. I am concerned about having my database connection string in an xml file. Should I be concerned, is this more or less safe than having the connection string in my web.config file.

 
Old March 16th, 2004, 12:25 PM
Imar's Avatar
Wrox Author
 
Join Date: Jun 2003
Posts: 17,089
Thanks: 80
Thanked 1,576 Times in 1,552 Posts
Default

Web.config files are protected by the setup of the Framework by default.
This means that whenever someone requests a Web.config file, IIS will hand the request over to the forbidden content type handler (something like this, can't recall the exact name) which prevents the file from being downloaded.

XML files are usually seen as content files and can be downloaded if you know their name and location. So, yeah, storing them in an XML file with the Web scope (anywhere below the Web root folder) poses a security risk.

However, you can configure IIS or the disk (NTFS) to block access to the file for unauthenticated users.

HtH,

Imar


---------------------------------------
Imar Spaanjaars
Everyone is unique, except for me.
 
Old March 16th, 2004, 01:11 PM
Authorized User
 
Join Date: Mar 2004
Posts: 16
Thanks: 0
Thanked 0 Times in 0 Posts
Default

The project I am working on will be a public website where individuals must register to use the site and view the content of the site. I have normally worked with either annonymous access public sites or Protected Windows integrated security intranet sites. This is new for me.

I would like your opinion, would you use ntfs to protect the folder and use the xml configuration files as presented in "ASP.Net Programming" or would you place the database access connection string in the web.config or is there a better, more robust / secure solution that you would recomment. Thanks again for your response.

 
Old March 16th, 2004, 01:24 PM
Imar's Avatar
Wrox Author
 
Join Date: Jun 2003
Posts: 17,089
Thanks: 80
Thanked 1,576 Times in 1,552 Posts
Default

Are you still using Anonymous access for the Web site?

If that's case, change the Security for your folder that holds the connection strings. Set it to Integrated Security only (that is remove anonymous and basic). On NTFS, remove all permissions except for read permission by the anonymous IUSR account (and maybe yourself or an Administrator account).

This way, IIS will be able to read the contents of the folder. If an anonymous user tries to request a file, Integrated Security won't work and they won't get access to the config files.

Alternatively, place the config files outside Web scope; e.g. in a folder called C:\Config. IIS can still read the files, but users won't be able to request them. I haven't read the book, so I don't know if this is applicable in your scenario.

Finally, you could move the connection strings to a Web.Config file. IMO, that makes sense. The inventors of ASP.NET probably thought about this for a while so I am sure there is a good theory behind its design. It also gives you easy access to its contents.

I think all three scenario's are safe: you can protect your connection strings from prying eyes on the Internet. What you choose is up to you: whatever is easiest to implement, or seems most logical to you.

Cheers,

Imar


---------------------------------------
Imar Spaanjaars
Everyone is unique, except for me.
 
Old March 16th, 2004, 01:35 PM
Authorized User
 
Join Date: Mar 2004
Posts: 16
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Thanks again.

 
Old March 24th, 2004, 11:57 PM
Authorized User
 
Join Date: Mar 2004
Posts: 33
Thanks: 0
Thanked 0 Times in 0 Posts
Default

A relatively easy solution to this issue is to encrypt the string that's stored in web.config.

 
Old March 30th, 2004, 04:55 AM
Authorized User
 
Join Date: Nov 2003
Posts: 20
Thanks: 0
Thanked 0 Times in 0 Posts
Default

But the module config files have a .config extension - it is the file extension that is screened by IIS. So they are no less safe than web.config.

brian
 
Old March 30th, 2004, 05:37 AM
Imar's Avatar
Wrox Author
 
Join Date: Jun 2003
Posts: 17,089
Thanks: 80
Thanked 1,576 Times in 1,552 Posts
Default

Right, I didn't know that (I don't have that book).
The OP said: "xml configuration files" so I assumed files with an .xml extension.

If they end with .config, they are indeed as safe as any other .config file.

Cheers,

Imar


---------------------------------------
Imar Spaanjaars
Everyone is unique, except for me.





Similar Threads
Thread Thread Starter Forum Replies Last Post
Creating XML doc ; writing string(xml format) into KamalRaturi XML 5 May 28th, 2008 05:51 AM
connection string kooky SQL Server ASP 1 February 14th, 2008 09:59 AM
connection string nalla ASP.NET 1.0 and 1.1 Professional 2 January 23rd, 2006 04:03 AM
Connection String phungleon Classic ASP Basics 1 March 18th, 2005 05:51 AM
Security Error Using DSN Connection Adir Rovner ASP.NET 1.0 and 1.1 Basics 7 August 24th, 2004 09:30 AM





Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright (c) 2020 John Wiley & Sons, Inc.