I have many ASP.NET applications running on server and i want to encrypt the web.config file for each.Is there a way I can encrypt all config files using single class/app or do i have to write separate code under each solution/project to encrypt config?I have idea how to do one file in a project usinghttp://davidhayden.com/blog/dave/archive/2005/11/17/2572.aspxBut i want to use a centralized or single app to encrypt all
View 2 Replies
I am wondering how to encrypt the below information in the "web.config" file of the "Account" folder (where we have the secured pages):
[Code]....
My issue here is that even after I compiled my application (using "aspnet_compiler -v /reports c:
eports"), the information inside the web.config file of the Account folder still not encrypted, and I want to publish my site to the customer server. So, since this server is a customer server, then they can access this "web.config" file and change our web-application security behaviour (correct me if I am wrong). Basically, I don't want the customer to even have access to our secured pages when they access our web-application using the web browser. How to solve this issue?
I used the article Creating a Flexible Configuration Section Handler to create a Flexible Configuration Section Handler in my application.
I also saw this article entitled Encrypting Custom Configuration Sections on the OdeToCode blog, on how to encrypt portions of a web.config file.
From the first article, we have this web.config code.
[code]...
I am getting the error "An error occurred loading a configuration file: Access to the path is denied."
When I am in VS 2010, I can Encrypt as long as I run as administrator. Code as follows:
[Code]....
My problem is I need to run this in IIS. What is stopping me? It's a permission problem, but what permission. I am running IIS 7.5 on Windows 7. This is happening on my production server as well. Same error.
Any section in my web.config file that I want to encrypt I run this command line util:
aspnet_regiis -pe "anySection" -app "/SampleApplication"
It all works just fine until I try encrypt my connectionStrings sections
I define (and I cannot change this) my connectionStrings section like this:
[code]....
Is there a way of doing this using the aspnet_regiis util? Doing it with code is not an option for me.
Also is there a way to run this untility without specifing the application (-app "/SampleApplication") instead giving the path to the web.config file?
I'm trying to encrypt a custom section in a web.config file. When I get to the line that calls ProtectSection(), I get an exception saying the provider isn't found.
Configuration config = WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);
ConfigurationSection section = config.GetSection("MySection");
section.SectionInformation.ProtectSection("DataProtectionConfigurationProvider");
I tried it with RSA as well and got the same error.
Running aspnet_regiis.exe works, but I need to do this programatically.
I have written a couple methods that encrypt and decrypt the appSettings section of my web.config file using the WebConfigurationManager. I just hooked up the methods to the page_load event to test that it works, which it does. Now I need to deploy to a web farm and need advice. What is the best way to make it so I can encrypt, but more importantly decrypt the web.config when I need to? I thought about putting a hidden page with "encrypt" and "decrypt" buttons, but that seems risky. What is the "accepted" method for rolling out something like this?
View 1 RepliesIf I encrypt something in my config file using aspnet_regiis.exe -pef "appsettings" "path" which i think will use my logged in id's credentials. If i deploy this application on some other machine where some other user id is used to login. Will there be any issues or .......?
View 1 Repliesshare your thoughts if there is any way to encrypt app.config section with out changing code? I know that we can use aspnet_regiis.exe to encrypt the web.config file.
I came across some blogs to rename app.config to web.config and run aspnet_regiis -pef command. I am able to create an encrypted version of app.config file but application failed to read the keys from encrypted app.config. so this approach didnt work for me.
Is aspnet_regiis.exe secure? If i encrypt using aspnet_regiis.exe, will it automatically decrypt the string and wont give any error? Need an insight into this stuff.... Is Rsa the best option or wat? Wat's the best way to encrypt/decrypt programmatically?
View 10 RepliesMy problem is that I'm going to have a SQL Server database and website that accesses that database via a hosting provider, most likely GoDaddy.com, using ASP.Net. I need to make sure the connection string in the web.config file is as secure as possible, because the database will actually be storing trivia questions for a game I'm developing, and the clients will be accessing these questions, saving specific state related details, and other details, to the database, so every player that plays the game will have their details stored in this database. I need to ensure hacking is very difficult to accomplish.
From my research it appears as though the only viable solution for your web.config when you've got a hosting account with something like GoDaddy.com is to use SQL Server security to connect to your SQL Server database and place those details in the web.config file. Is this correct? It seems that this is the most likely scenario for most users, because we don't have access to our hosting providers IIS servers in order to use Windows authentication with SQL Server access and then use DPAPI encryption from there.
When I try to encrypt the "connectionStrings" section in the web.config file of my asp.net web application on Windows Server 2008, I'm getting the following error:
Administration utility (2.0.50727) to install and uninstall ASP.NET on the local machine. Copyright (c) Microsoft Corporation. All rights reserved. Note: This utility has limited capabilities on the Windows Vista operating system. It is recommended that you use the "Turn on or off Windows features" option of the "Programs" component of Control Panel to install or remove ASP.NET. It is also recommended that you use the IIS Manager component or the Appcmd.exe tool to configure ASP.NET applications.
The above information is followed by the list of valid options to aspnet_regiis.exe.
The command that I've used is:
aspnet_regiis.exe -pef "connectionStrings" "C:Usersuser1DocumentsMywebsite" -prov "DataProtectionConfigurationProvider"
But, the same command is working fine when used on a Windows Server 2003 machine. The problem is occurring only on Windows Server 2008 with IIS7.
I've been reading others questions regarding storing settings in the web.config. Most of you agree that's a good way to store settings.I just have another doubt about that.
In my app, I need to map some ID's in the web.config. For example:
[Table = UserType]
1 - User
/2 - Admin
Is it a good idea to store these settings in the web.config so I know what is the right ID in my application? Do you have a better solution?
Using visual studio 2010.
Dragged and dropped a login control onto a blank content page. Set up my web.config (i'll include the code for that at the end). It seems to want to use a sql database to store the info. I just want to use the web.config since it's just a single user and a simple site. I thought I could just drag and drop the login control to a page and that would be the end of it (besides setting up the web.config).
Here's what i have in the config file
[Code]....
I register all my user controls in the web.config file. In one of the modules of my application, I need to load a control dynamically. Is it possible for me to read the section of the web.config file where I have my user control data so that I can get its path directly from web.config?
View 5 RepliesCurrently, I work on an ASP.NET project which is hosted under version control and is used on several developer machines, tester machine and production environment.
In three cases, configuration (Web.config) may be different. For example, developer and tester environments use testing SQL Server, whereas in production environment, another SQL Server is accessed, so the connection string is different in those cases.
We want to keep three versions of Web.config in subversion. But modifying each of three files every time we need to add, remove or change a common setting is annoying: it would be nice to have a common, master Web.config, which will be inherited by each of the three Web.config files.
How to set up an ASP.NET project which will use a master configuration file and different slave configuration files on different machines, thus sharing the same project/source code/configuration files in subversion?
I am encrypying my .NET config file using this command and it works just fine:
aspnet_regiis -pe "connectionStrings" -app "/SampleApplication"
For this to work though I have to have a virtual directory called SampleApplication pointing to the folder my web.config file is under.
Is there a way to just specify the path to the file and not have to have a virtual dir?
I tried with
aspnet_regiis -pe "connectionStrings" -location "c:FoldercontainingWebConfigFile"
but i get the error: " path attribute must be a relative virtual path". And cannot contain any of ":" "" etc...
I am looking here:
[URL]
We are experiencing some strange behaviour on one of our ASP.NET web servers (Windows 2003 64-bit). After some activity, two third-party controls are unable to run correctly. One is log4net (it does not write error messages out) and the other is a menu control (it displays eval message instead of picking up its license). The one common thread is that both controls pick up their config from external config files (linked to from web.config).
Just wondering if anyone has any thoughts on this or experienced this in any way. Is it related to file/folder rights? The server has been running fine for a while and just started exhibiting this behaviour. Perhaps it occurs around the time the worker processes are recycled.
I was following the tutorials from this two sites:
http://www.15seconds.com/issue/070104.htm
http://aspnet.4guysfromrolla.com/articles/020404-1.aspx
Following the first site, it had worked but when I´ve moved the pages and files to other folders and set the web.config file on this folder, now it won´t work at all!!!
The file is an *.swf object. I did put the asapi.dll to map the extension on the website root, I´ve put the
[Code]....
on the web.config new folder and on the web.config website´s root.
It won´t work!!! I can access the file directly!!! on the web.config of the folder that contains the file, there is a <deny users="*" /> line.
I just upgraded to VS 2010 and MVC 2.0 and I noticed the web.config has two additional files attached to it? Are these files used to specify debug and release specific settings, so you don't clutter up the main web.config?
Does it even make sense to place a connection string in the root web.config file if I have have a local and remote one in the debug and release web.configs respectively.
I have an entity called a file which is the main part of my project. The file has invoices and timesheets captured against it. So I have a file tab with info about the file, like FileNumber, Vessedl, Voyage etc. Now I need to be able to upload documents for the file. So I will add an uploads tab. But the uploaded documents need to be saved for the specified file the user uploads it for. then when a user opens a file I need to show the documents for that file in a list of some sort. the best way to do this. What's the best way to upload multiple files? should I store all the info in my database?
View 36 RepliesI'm building an ASP.NET MVC 2 site where I'm currently implementing an OpenID sign-up form. Unfortunately, I'm foreseeing a possible security bug/vulnerability inside my architecture.
Here's how I want OpenID login to work:
User requests /Account/Login, Controller sends back OpenIDLogin View. User enters their OpenID into the View, then OpenID authorization takes place, and finally the OpenID is returned to the Controller.The Controller checks whether the OpenID is currently in use by a user in the system or not. If it is, the user is logged in to that account. If not, the registration process begins.
And now, the OpenID registration process:
The OpenID identifier, as well as any other information provided by the OpenID provider (such as email address or name), is put into my custom ViewModel and sent to my OpenIDRegistrationForm View.The RegistrationForm View stores the OpenID in a hidden field to make sure that it gets sent back to the Controller.The user fills in the RegistrationForm View and sends it back to the Controller.The Controller creates the user account and puts the OpenID into the database.
The bug that I see within my architecture is that a user could modify the hidden value in the RegistrationForm View. Thus, they could spoof their OpenID! I will make sure to add another round of checking to the final Registration Controller Action to make sure that the OpenID that is provided doesn't exist yet, but there is still a possibility for spoofing. Can my architecture be improved somehow? I don't want this to end badly...
One solution I'm considering is encrypting the OpenID before I send it to the View and then decrypting it when it reaches the Controller. Should I try this?
I'm interested to know how others maintain their web.config files for deployed applications. (assuming no automated deployment mechanism - that is out of the scope of this question)So during development, some developers might make use of web.config transformations, build/publish their projects (debug/release, test/live configurations), then deploy all published artifacts to a web server and set up IIS. Some developers might build/publish their projects, deploy published artifacts to a web server, set up IIS, then manually update the web.configs for the specific environment (test/live, etc) they are deploying into
View 2 RepliesIn my experience, web.config files are widely reviled. In particular, I have found them difficult to manage when you have multiple environments to support, and fiddly to update due to the lack of validation at update-time and the verbosity of XML.
View 2 RepliesI have two webconfig files, on in the root directory and one in the other directory. I dont know how to access or specify for the particular pages or APIs those are in the folder.Root webconfig file used by another section and the 2nd one accessed by another api. I have no idea about that
View 3 Replies
