is there a way to set the connection string in the IIS without setting it in the web.config file of the .net application? because i don't want the credentials to be set in the .net code
4
-
You can encrypt it. Or have your application obtain it from a "secret server". Or use environment variables. But I guess more importantly, is there someone who has access to your site's source code that isn't authorized to see the connection string?mason– mason2017-05-10 14:57:25 +00:00Commented May 10, 2017 at 14:57
-
it is the publish of the source code that is linked to the IIS , but there are many tools to reverse the publish and have the source code so if i encrypt it in the web.config i will have to decrypt it in my code, and if they reverse the publish code they will know how to decrypt the connection stringUser7291– User72912017-05-10 15:04:22 +00:00Commented May 10, 2017 at 15:04
-
2If somebody can "reverse the publish" that you don't trust I think you have far bigger issues on your hands then decrypting your connection strings.Sean Lange– Sean Lange2017-05-10 15:10:49 +00:00Commented May 10, 2017 at 15:10
-
You don't HAVE to put the connection string in your config file. One way or another you will have to encrypt/decrypt it in code, so just access the decrypted string in your data layer class...IrishChieftain– IrishChieftain2017-05-10 15:16:10 +00:00Commented May 10, 2017 at 15:16
Add a comment
|
2 Answers
You can encrypt the connection string
take a look at this : https://msdn.microsoft.com/en-us/library/dx0f3cf2(v=vs.85).aspx
Quote : The following example shows how to encrypt the connectionStrings section of the Web.config file for an application named SampleApplication:
aspnet_regiis -pe "connectionStrings" -app "/SampleApplication"
2 Comments
User7291
it is the publish of the source code that is linked to the IIS , but there are many tools to reverse the publish and have the source code so if i encrypt it in the web.config i will have to decrypt it in my code, and if they reverse the publish code they will know how to decrypt the connection string
Iomm1
I think the above process doesn't require you to do anything in your code, the encrypting/decrypting is handled by the authority in which the app pool is run. See this also - the question has come up before - any answers for you here? stackoverflow.com/questions/1706613/…
You can put your connection string in applicationHost in this path:
%windir%\system32\inetsrv\config
There's an inheritance chain above the site that you must know about it:
you can see more information about it here.
