Is it secure to store username or password in web.config
as the other parameters e.g. timeout period in ASP.NET MVC
applications? If not, is it possible to make these parameters securable so that they cannot be encoded in the web.config
file on the published server? On the other hand, would you suggest to store username, password and the other constant parameters in a Class
(*.cs) file as static values? Could you please clarify me about which approach is better in order to store such parameters?
问题:
回答1:
You should never store sensitive data in source code. You can use the configSource
attribute to replace the entire <connectionStrings>
markup.
<connectionStrings configSource="ConnectionStrings.config">
</connectionStrings>
ConnectionStrings.config
should be in the same folder as Web.config. It's best to keep extension .config, as config files are not served by IIS.
This file must be ignored by version control system.
https://www.asp.net/identity/overview/features-api/best-practices-for-deploying-passwords-and-other-sensitive-data-to-aspnet-and-azure
回答2:
check these links:
http://www.4guysfromrolla.com/articles/021506-1.aspx
http://www.aspnettutorials.com/tutorials/advanced/encrypt-conn-str-asp4-cs.aspx
Better yet, do not use SQL Server Security and instead use Integrated Security and only allow the account your web app (pool) runs under to access the DB.