Asp.net ConnectionString in secure way
I could not get a satisfactory answer to my question on the google, they are:
- How secure ConnectionString is over the HttpRequest?
- Is using Connection
-
How secure ConnectionString is over the HttpRequest?
Do you send the connection string over http request ? Really ? what scenario it is ? Ususally only requests for a webpage travels thru http request and the response as well. Connectionstring is something your code internally use to access data and it stays in your server.
Is using ConnectionString in web.config file more secure than using in any specific aspx page?
Think about maintainability. If you put your connection string in a class, you have to rebuild your app when you have to change your connection string . If some body has access to your folder where you have your files, they can use a disassembler to see what is in your dlls.
And how to secure ConnectionString for highly secure website?
You can encrypt connection string in web.config. check this link http://www.codeproject.com/Tips/304638/Encrypt-or-Decrypt-Connection-Strings-in-web-confi
讨论(0) -
Nice project on CodePlex Encrypt/Decrypt Connection string
讨论(0) -
There are quite a few methods to secure your connectionstring like
- Encrypt your connectionstring and save it in webconfig
- Encrypt your connectionstring and save it in windows registry
Its best to save connectionstring in webconfig to be used as a single point of use for whole application.
讨论(0) -
To answer your questions in turn:
How secure ConnectionString is over the HttpRequest?
You should never have to pass your connection string over HTTP; what usually happens is a user makes a request, your site processes the request including connecting to the database, and returns the result to the client. Connection String should not be sent over HTTP in this scenario.
Is using ConnectionString in web.config file more secure than using in any specific aspx page?
Depends on what you do with the connection string - if you ever write it out to the client then it's never going to be secure! The connection string is usually placed into config for reusability purposes; embedding it on every page makes for a lot more maintainance and potential bugs.
And how to secure ConnectionString for highly secure website?
You can encrypt the connection - so it is never stored as plain text, or use Windows Authentication so you never need a password. This is supported by ASP.Net as described here and here.
讨论(0) -
You can encrypt the conenction string inside the webconfig, here is an article from Microsoft about this topic : http://msdn.microsoft.com/en-us/library/dx0f3cf2(v=vs.80).aspx
If you sending the connectionstring over a channel its not more secure than the channel. For example sending the connectionstring over HTTP and it will be just plain text, HTTPS and it will be encrypted, over FTP just plan text, and so on...
If you have a webapplication in a shared hosted environment you should be worried about that the provider maybe get hacked.
So just keep the connection string inside the web.config and encrypt it and don't send it around on internet ;-)
讨论(0) -
The connection strings are safe in the web.config. They are very secure unless you print them out on the web requests.
讨论(0)
加载中...
- 热议问题