{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 Animai°情兽 的问题《Keeping sensitive information in web.config》','https://www.manongdao.com/q-1267512.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
Is it secure to store username or password in web.config as the other parameters e.g. timeout period in ASP.NET MVC applications? If not, is it possible to make these parameters securable so that they cannot be encoded in the web.config file on the published server? On the other hand, would you suggest to store username, password and the other constant parameters in a Class (*.cs) file as static values? Could you please clarify me about which approach is better in order to store such parameters?
相关问题
- Sorting 3 numbers without branching [closed]
- Graphics.DrawImage() - Throws out of memory except
- Carriage Return (ASCII chr 13) is missing from tex
- MVC-Routing,Why i can not ignore defaults,The matc
- Why am I getting UnauthorizedAccessException on th
You should never store sensitive data in source code. You can use the
configSourceattribute to replace the entire<connectionStrings>markup.ConnectionStrings.configshould be in the same folder as Web.config. It's best to keep extension .config, as config files are not served by IIS. This file must be ignored by version control system.https://www.asp.net/identity/overview/features-api/best-practices-for-deploying-passwords-and-other-sensitive-data-to-aspnet-and-azure
check these links:
http://www.4guysfromrolla.com/articles/021506-1.aspx
http://www.aspnettutorials.com/tutorials/advanced/encrypt-conn-str-asp4-cs.aspx
Better yet, do not use SQL Server Security and instead use Integrated Security and only allow the account your web app (pool) runs under to access the DB.