Customers generally do not agree with this method of saving data in config file. Specifically, the customer is concerned with how to save sensitive information in a text file. When encountering this type of customer, the author will tell them that if other people can remove text files from their Web server, their problems cannot be solved.
But the client is not aware of the need for this argument. In fact, they have their own point of view. A considerable portion of the security vulnerabilities are caused by the personnel of the organization themselves, and the resulting security problems are not to be taken. Therefore, the author recommends encrypting the Web.config file.
Local encryption
The code given below is used to encrypt the specified portion of the Web.config file. The preferred choice is to select a section with the sections collection of the Configuration object. In this example, the connectionstrings section is selected:
Dim ConfigFile as System.Configuration.Configuration
Dim configsection as ConfigurationSection
This code assumes that it is running on a Web page, so you can use the Applicationpath property in the request object to get the physical path to the Web.config folder. If you want to create a utility, you need to make the path sent to the Openwebconfiguration method a hard code.
Now that we have the part to encrypt, we can encrypt it and specify the encryption scheme we need to use. The final step is to save the encrypted version to the configuration file:
< ciphervalue>...encrypted data ... </ciphervalue>
</cipherdata>
</encrypteddata>
</connectionstrings>
If you're thinking about how to save critical information to a Web.config file, you should encrypt the file.
The good thing is that when you use the ConfigurationManager ConnectionString collection to retrieve the encrypted connection string, the connection string is automatically decrypted for you. This code is valid regardless of whether connectionstrings is encrypted:
Because it is encrypted using a network server's exclusive key, even if the file is stolen from the Web site, it cannot be decrypted outside the network server. This means that if you do not transfer files to the server, you cannot decrypt them as well. If you are encrypting the connection string in the test server, then transfer the page to server, ASP. NET is not sufficient to decrypt the server's exclusive key for the string.
Sometimes, you just need to check the contents of the file to decrypt the web.config. The following code is responsible for this work:
Dim ConfigFile as System.Configuration.Configuration
Dim configsection as ConfigurationSection
If you do not want to use the code, you can use the Aspnet_regiis tool to encrypt or decrypt the local Web.config file. You must send this tool to specify the encryption section and the path name of the profile folder, and also to transfer the-prov parameter to specify the encryption scheme:
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
