Security :: Data Connections Strings / Web Config?
Apr 4, 2010
I am helping a club create a site that has a password protected "members only area". I have never done anything password protected. I used VWD and created the user names and passwords. Apparently using the AspNetSqlProvider. The site and password protected area work great when tested locally. The problem is when the site is uploaded to the hosting company, the login area will not work. I found that I had to create an SQL database in the appropriate area of the hosting company. The login still won't work. I am thinking that I have to create a connection string in the web config file. The problem is - when I tried that the site wouldn't work when I tested it locally. I really need lots of help with this part.
I nearly completed my project and was about to put it out to be run. My boss was going to make a minor change to the connection string and then put it out there. In short, my application was running off a dummy database, while the real database was out there. I have the connection string comiple and built through out my project in the aspx pages and the cs pages.
However, my boss wants to be able to change a single connection string in a single place, essentially in the web.config file. I'm fine with that, but I don't know how to access the connection strings stored in the web.config files. How do you do that? So far, I've only created a new connectionstring in my code on each page. I've told him you could do a "find and replace" on all the files but he doesn't want to do that. In short, he wants to change the connection string the same way he does all the other projects he works with, php, vb and etc.
how do you access the connection strings stored in the web.config file programmatically?
I want to apply some better security measures to an existing web application. Currently, my connection string contains the user name and password in plain text. I'm also using a custom membership provider, which stores user names and passwords in the web.config file as plain text [URL] I would like to secure this information using an algorithm such as SHA1.
I have heard that saving connection strings and stored procedure names in web.config file of our application is not safe. It is a good practice to store the connection string in a config file rather than as a hard coded string in our code and if we need to change it,then it makes our job easier. how to protect our code in web.config?
How Can We Have two Connection Strings In Web.Config And Switch Betweeen Them In Code Behind? when i add two connention strings in web.config so an error appears that tells us u cann't add two connection strings in web.config. i want the upper job because i have 2 databases and i want transfer data from another to the other one.
I would like to store a collection of strings in the web.config. This collection would vary in size over time. I would like to be able to pull all of the strings in the collection into an array or collection in code. (.Net 4, asp.net) i.e.
I could use appsettings with the strings all in one value but I would like to seperate it out for organizational reasons. Not using the key/value pair complicates things a bit. I am now getting a message that states "you can't have duplicate elements in a section"
I have an ASP.NET project which is pretty n-tier, by namespace, but I need to separate into three projects: Data Layer, Middle Tier and Front End.
I am doing this because...
A) It seems the right thing to do, and
B) I am having all sorts of problems running unit tests for ASP.NET hosted assemblies.
Anyway, my question is, where do you keep your config info?
Right now, for example, my middle tier classes (which uses Linq to SQL) automatically pull their connection string information from the web.config when instantiating a new data context.
If my data layer is in another project can/should it be using the web.config for configuration info?
If so, how will a unit test, (typically in a separate assembly) provide soch configuration info?
I have two connection strings (both in Web.Config: CS_Local and CS_Production) for my DBML (Linq to SQL). In my Global.Asax/Application_Start I run some production preparation methods if the request is non-local (!HttpContext.Current.Request.IsLocal). Within that part, I'd also like to change the current connection string used by my DBML from the standard CS_Local to CS_Production.
I have seen the examples on how to switch between connections strings for development and production enviroments. My web.config also calls out a connection string for <roleManager and membership><providers>. Can this be setup to switch between the two connection strings?
I would like to use both of the connection strings in the same web.config file how can I do this I tried this yesterday it worked I called it a night, then this morning I got this. The error being on line: 10 Parser Error Message: The entry 'ApplicationServices' has already been added.
Line 8: <add name="ApplicationServices" Line 9: connectionString="Data Source=Mysource;Initial Catalog=travelatlantic;User ID=MyID; Password=MyPassword;" /> Line 10: <add name="ApplicationServices" Line 11: connectionString="Data Source=MySource;Initial Catalog=travelatlantic2;User ID=Myid; Password=MyPassword;" /> Line 12: </connectionStrings>
The company I work for has a web app running on IIS that has been strictly internal (uses a port other than 80 not accessible to the internet). Recently we started using mobile devices and need to access it over the internet. So I simply made it part of our company web site and secured that portion using forms authentication. The problem is that it is also our home page in the office and it is a pain to be logging in several times a day. In fact some of the staff are irate they have to login in at all when at their workstations. Is there a way to by-pass authentication when the referrer is http://servername/ and still enforce it when accessed via http://www.domainname.com?
I have incorporated the asp.net membership and roles feature in my web app on my local dev setup that uses SQL 2008 Developer edition, all works as it should.
My remote system uses SQL 2005 express and I went through the process of creating the ASPNET membership tables via the "aspnet_regsql" command to my remote target database. I then created a few users, adjusted my app connection strings accordingly and uploaded.
My login page uses the "login" server control and when I try and login using credentials from one of the previously created users I get a "Your login attempt was not successful. try again." error. I know the users are in the DB as I can see then via the SQL Management studio on the remote DB. I have triple checked the username/passwords and I am definately entering the correct info. The connection strings are correct as the initial page renders content from another table in the DB. I am getting no errors.
My best guess at the moment is that SQL Express handles Membership/Roles connections differently to the full versions of SQL?
We use Sharepoint to control our websites. We build the sites, then load them into the sharepoint server. My question is if I use windows authentication, how can I get my role security in my web config file to coencide with the asp.net controls that use the Forms authentication. Is there a differenence? Our security uses a session variable for security but there is no where to set up their permissions except in active directory. I hope this makes sense because I would like to implement the LoginView with Role groups but how can I give them the role="administrator"? Do I have to go into active directory and give them these permissions(would take awhile due to the size of the company)? Or do I have to set up priveladges in the web.config file for each user(difficult I think)?
We have developed web application using Asp.net, C# and SQL Server. However, When viewing the Process Info Tool for MS SQL Server, we see lots of processes (150-1000+) with Status = 'sleeping' and Command = 'AWAITING COMMAND' (Application = '.Net SqlClient Data Provider')The DataReaders and Connections are all being closed, but still the sleeping connections are accumulating. The problem becomes so severe that we finally get a "General Network Error" or a "Internal system error" and if we restart IIS. We have tested a lot but no success.
I have a decimal value that is a winning percentage so will always be three digits to the right of the decimal but I dont want the 0 appearing to the left of the decimal.What format string can I use to clean it up?
Im uysing my custom login for user,and suppose im having a group of user who can login in.and rest of other should be deniedso how i can maintain that in web.config,
I have done forms authentication a couples of times before but this time I cant get my head around something.Somehow altough the user authenticated,the destination page does not get this.The destination page is called Approval.aspx and is located in the /Admin directory which is secured by having its own web config with those settings:
[Code]....
If I remove the <deny users="?" />,then everything works fine but obviously everyone has access to that page.I only want that the user of role Admin can access it. I have implemented the standard VS 2010 login controland the user gets to the destination page with a response redirect:
[Code]....
Why does the destination page not realize that the user is authenticated and does not treat the useras a user in role "Admin"?
[Code]....
While debugging the login page I can see that the user has the right role "Admin".
Within my site structure there is a folder called { Account } where I only want certain users to have access to. At University, my lecturer provided us with the following instructions:
Create new website and delete the default.aspx file in the Solution ExplorerRight click on the website path at the top of the Solution Explorer window and add a new folder. Name the folder Secure.To set up the security, select Website and then ASP.NET configuration.Select the Security link and in the Users column click "Select Authentication Type" and on the page that appears check the "From the Internet" option. Then click the "Done" button.Still in the security section select "Create Access Rules" and then click on the Secure folder and select "Anonymous Users" and "Deny". Then click OK. You can now close down this window.In the Solution Explorer click the "Refresh" button and you should see two web.config files appear.I am following his instructions to the letter, but I am not getting the {web.config } for my { Account } folder ! What am I doing wrong ?
PS. Is a users table in a database redundant in ASP.NET because there is already a user's table with roles built into ASP.NET ?
I need to set my logged in time in web.config but I do not know how? I get logged out after a while if I do no do anything in the website but I wanna be logged in for 120 minutes.