ASP. NET Web. config file

ASP. NET can use protected configurations to encrypt sensitive information in the Web application configuration file, such as the Web. config file), including the user name and password, database connection string, and encryption key ). After the configuration information is encrypted, even if attackers obtain access to the configuration file, attackers cannot obtain access to sensitive information, thus improving application security.

For ASP. for example, an unencrypted configuration file may contain a section specifying the connection string used to connect to the database, as shown in the following example:

 
 

  
  
<configuration> 
  
  
<connectionStrings> 
  
  
<add name="SampleSqlServer" connectionString="Data Source=localhost;
Integrated Security=SSPI;Initial Catalog=Northwind;" /> 
  
  
</connectionStrings> 
  
  
</configuration> 
  
  
 
 
 

ASP. NET 2.0 has a new security feature. Any configuration section in the Web. config file can be encrypted. You can run the aspnet_regiis tool or program to complete this work. If you can directly access your Web server, you can run the following command line:

Cd % windows % \ Microsoft. NET \ Framework \ versionNumber

Aspnet_regiis-pe "connectionStrings"-app "/SampleApplication"-prov RsaProtectedConfigurationProvider

-Pd section
Decrypts the configuration section. This parameter uses the following optional parameters:
◆-The app virtualPath specifies that decryption should be performed at the included path level.
◆-Location subPath specifies the subdirectory to be decrypted.
◆-Pkm indicates that the Machine. config file should be decrypted instead of the Web. config file.

-Pdf section webApplicationDirectory
Decrypts the specified configuration section of the Web. config file in the specified physical non-virtual directory.

-Pe section
Encrypts the specified configuration section. This parameter uses the following optional modifier:
◆-Prov provider specifies the encryption provider to be used.
◆-App virtualPath indicates that encryption should be performed at the included path level.
◆-Location subPath specifies the subdirectory to be encrypted.
◆-Pkm indicates that the Machine. config file should be encrypted instead of the Web. config file.

-Wordpress section webApplicationDirectory
ASP. NET 2.0 encrypts the specified configuration section of the Web. config file in the specified physical non-virtual directory.

If you are using a virtual host or other server that cannot access the physical server, you can still encrypt the connection string through programming:

1 Configuration config = Configuration. GetWebConfiguration (Request. ApplicationPath );
2 ConfigurationSection section = config. Sections ["connectionStrings"];
3 section. SectionInformation. ProtectSection ("RsaProtectedConfigurationProvider ");;
4 config. Update ();
Currently, the configuration files encrypted with protected configurations do not display the connection strings in plaintext, but store them in encrypted format, as shown in the following example:

1. XML and ASP. NET
2. Java script in ASP. NET calls the c # Method
3. Process of processing ASP. NET Postback Program
4. ASP. NET Server-side control CheckBoxList
5. Analysis of ASP. NET Membership