web config help

My development environment consists of 2 separate servers (sql 2000 server and iis6 server).
1. iis6 web server
2. sql 2k server

iis6 directory structure:
wwwroot/
      default.aspx
      web.config
      error.aspx
      404berror.aspx
      500error.aspx
      login.aspx
      members/default.aspx
      images/
      css/
      bin/

What is the best method for setting up a webconfig file so that I have a public side and a member folder?

below is my webconfig file.
-------------------------------
<?xml version="1.0" encoding="utf-8" ?>
<!-- public webconfig for asp.net/vb.net app-->
<configuration>
      <!--
      custom app settings
      SQLConnection = sql server connection string for remote sql server
      -->
      <appSettings>
      <add key="SQLConnection" value="user id=webone; password=webone;database=weblogin;server=devsqlserver\LOCAL;Connect Timeout=30;" />
      </appSettings>

<location path="members">
      <system.web>
      <!-- Trace -->            
            <trace
            enabled="false"
            localOnly="true"
            pageOutput="false"
            requestLimit="10"
            traceMode="SortByTime"
            />
            
      <!-- Globaliztion -->            
            <globalization
            culture="en-US"
            requestEncoding="utf-8"
            responseEncoding="utf-8"
            uiCulture="en-US"
            />
            
            <!-- HTTP Runtime -->
            <httpRuntime
                  appRequestQueueLimit="100"
                  executionTimeout="90"
                  maxRequestLength="4096"
                  minFreeThreads="8"
                  minLocalRequestFreeThreads="4"
                  useFullyQualifiedRedirectUrl="false"
            />
      
       <!-- Compilation -->
      <compilation
            batch="true"
            batchTimeout="15"
            debug="false"
            defaultLanguage="vb"
            explicit="true"
            numRecompilesBeforeAppRestart="15"
            strict="false"
            tempDirectory="C:\temp">
            <compilers>
                  <compiler extension=".vb" language="vb;vbs;visualbasic;vbscript" type="Microsoft.VisualBasic.VBCodeProvider, System, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
            </compilers>
            </compilation>
            
            <!-- Page config settings -->
            <pages
                  autoEventWireup="true"
                  buffer="true"
                  enableSessionState="false"
                  enableViewState="false"
                  smartNavigation="false"
                  validateRequest="true"
            />
                  
       <!-- Custom Errors -->
            <customErrors
                  defaultRedirect="error.aspx"
                  mode="RemoteOnly">
                  <error statusCode="500"
                redirect="500error.aspx"/>
            <error statusCode="404"
                redirect="404berror.aspx"/>
            </customErrors>
            
       <!-- Authentication -->
            <authentication
            mode="Forms">
             <forms
                        loginUrl="login.aspx"
                        name="MemberLogin"
                        path="/"
                        protection="All"
                        timeout="20">
                  <credentials
                  passwordFormat="SHA1">
                  </credentials>            
            </forms>
            </authentication>
      
       <!-- Identity
       -->
            <identity
              impersonate="false"
            />
     
       <!-- Authorization      -->
            <authorization>
                  <deny users="?" />
            </authorization>
            
      <sessionState
                  mode="InProc"
                  stateConnectionString="tcpip=127.0.0.1:42424"
                  sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes"
                  cookieless="false"
                  timeout="20"
            />
            
      </system.web>
  </location>
</configuration>
--------------------

Also, would it be wise to have authentication on the public side mode="none" for performance?

<!--??<authentication
            mode="None">
            </authentication>?? if public is select only wouldn't this enhance performance?-->
      
matthersjrAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

tusharashahCommented:
You do not need every element inside <location> of your member subarea. .. your web.config should look like following

----------------------------------------------------------------------------------------------------------------------------------------
<!--Web.Config -->
<configuration>

 <system.web> <!-- This is default system.web Put everything inside here -->
     ................
     ...............
   <authentication mode="Forms">    
         <forms loginUrl="login.aspx" name="MemberLogin" protection="All" path="/" timeout="300"/>    
   </authentication>

    <authorization>
               <allow users="*" />   <!-- This is for your Root folder -->
     </authorization>

 </system.web>

 <location path="members"> <!-- You dont need anything else but authorization over here -->
   <system.web>
        <authorization>
            <allow users="?" />
        </authorization>
    </system.web>
 </location>

</configuration>
----------------------------------------------------------------------------------------------------------------------------------------

-tushar
0
tusharashahCommented:
CORRECTION
<location path="members"> <!-- You dont need anything else but authorization over here -->
   <system.web>
        <authorization>
            <allow users="?" />
        </authorization>
    </system.web>
 </location>

SHOULD BE:
<location path="members"> <!-- You dont need anything else but authorization over here -->
   <system.web>
        <authorization>
            <deny users="?" />   <!-- Need to deny Unauthenticated Users here -->
        </authorization>
    </system.web>
 </location>

-tushar
0
matthersjrAuthor Commented:
Public:
1. Set enableSessionState and enableViewState to false for performance?
2. Would credentials allow the password to be encrypted or is there another method of encrypting the userid and password?

Private:
1. <authentication mode="None"> - Would this be appropriate since the authentication already took place?
2. Set enableSessionState and enableViewState to true?
3. Pathes for the error pages appropriate?
4. Is the SessionState code appropriate?

See web.config below.
---------------
<configuration>
<appSettings>
  <add key="SQLConnection" value="user id=webone; password=webone;database=weblogin;server=devsqlserver\LOCAL;Connect Timeout=30;" />
</appSettings>

<!-- public side: -->
<system.web>
<httpRuntime useFullyQualifiedRedirectUrl="false" />
<pages autoEventWireup="true" buffer="true" enableSessionState="false" enableViewState="false" smartNavigation="false"

validateRequest="true"/>
<customErrors defaultRedirect="error.aspx" mode="RemoteOnly">
  <error statusCode="500" redirect="500error.aspx"/>
  <error statusCode="404" redirect="404berror.aspx"/>
</customErrors>
<authentication mode="Forms">
  <forms loginUrl="login.aspx" name="MemberLogin" protection="All" path="/" timeout="300">
    <credentials passwordFormat="SHA1"></credentials>
  </forms>    
</authentication>
<identity impersonate="false"/>
<authorization>
  <allow users="*" />
</authorization>
</system.web>

<!-- private side: -->
<location path="members">
<system.web>
<httpRuntime useFullyQualifiedRedirectUrl="false" />
<pages autoEventWireup="true" buffer="true" enableSessionState="true" enableViewState="true" smartNavigation="false"

validateRequest="true"/>
<customErrors defaultRedirect="../error.aspx" mode="RemoteOnly">
  <error statusCode="500" redirect="../500error.aspx"/>
  <error statusCode="404" redirect="../404berror.aspx"/>
</customErrors>
<identity impersonate="false" />
<authorization>
  <deny users="?" />
</authorization>
<sessionState mode="InProc" stateConnectionString="tcpip=127.0.0.1:42424" sqlConnectionString="data

source=127.0.0.1;Trusted_Connection=yes" cookieless="false" timeout="20"/>
</system.web>
</location>

</configuration>
0
Cloud Class® Course: SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

tusharashahCommented:
Again, as long as anything is inside your main web.config you do not need to write it again inside <location> or subfolder's web.config.

Public:
1. Set enableSessionState and enableViewState to false for performance?
--> setting enableViewState to false will boost performance.
--> enableSessionState wont hurt as long as you do not store any BIG Session variable
--> Also, you'll need it for FormAuthenticatoin

2. Would credentials allow the password to be encrypted or is there another method of encrypting the userid and password?
--> No, you'll have to write down some method for that

Private:
1. <authentication mode="None"> - Would this be appropriate since the authentication already took place?
--> Not Required & you shouldn't put it in here. Leave this tag.

2. Set enableSessionState and enableViewState to true?
--> enableSessionState is true by default. (yes you'll need it true)
--> enableViewState: true/false dosent matter, base upon your requirement

3. Pathes for the error pages appropriate?
--> You just need these path at Main level.

4. Is the SessionState code appropriate?
-->  Yes!

-tushar
0
tusharashahCommented:
You can modify your web.config like following

------------------------------------------------
<configuration>
<appSettings>
  <add key="SQLConnection" value="user id=webone; password=webone;database=weblogin;server=devsqlserver\LOCAL;Connect Timeout=30;" />
</appSettings>

<!-- public side: -->
<system.web>
<httpRuntime useFullyQualifiedRedirectUrl="false" />
<pages enableViewState="false" smartNavigation="false"/> <!-- other properties were set to default so no need to mention here -->

<customErrors defaultRedirect="error.aspx" mode="RemoteOnly">
  <error statusCode="500" redirect="500error.aspx"/>
  <error statusCode="404" redirect="404berror.aspx"/>
</customErrors>

<authentication mode="Forms">
  <forms loginUrl="login.aspx" name="MemberLogin" protection="All" path="/" timeout="300">
<!--    <credentials passwordFormat="SHA1"></credentials> -->
  </forms>    
</authentication>

<identity impersonate="false"/>

<authorization>
  <allow users="*" />
</authorization>

</system.web>

<!-- private side: -->
<location path="members">
<!-- All other attributes will be inherrited automatically from above -->
  <system.web>
       <authorization>
         <deny users="?" />
       </authorization>
  </system.web>
</location>

</configuration>
0
matthersjrAuthor Commented:
would the following be a winner?

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
      <!-- custom app settings SQLConnection = sql server connection string for remote sql server -->
            <appSettings>
                  <add key="SQLConnection" value="user id=webone; password=webone;database=weblogin;server=devsqlserver\LOCAL;Connect Timeout=30;" />
            </appSettings>

<!-- public side: -->
<system.web>
      <!-- HTTP Runtime -->
            <httpRuntime useFullyQualifiedRedirectUrl="false" />
      <!-- Pages -->
            <pages enableViewState="false" smartNavigation="false"/>
      <!-- Custom Errors -->
            <customErrors defaultRedirect="error.aspx" mode="RemoteOnly">
                  <error statusCode="500" redirect="500error.aspx"/>
                  <error statusCode="404" redirect="404berror.aspx"/>
            </customErrors>
      <!-- Authentication -->
            <authentication mode="Forms">
                  <forms loginUrl="login.aspx" name="MemberLogin" protection="All" path="/" timeout="300" />
            </authentication>
      <!-- Identity -->
            <identity impersonate="false"/>
      <!-- Authorization -->
            <authorization>
                  <allow users="*" />
            </authorization>
</system.web>



<!-- private side: -->
<location path="members">
      <system.web>
            <!-- Authorization -->
                  <authorization>
                        <deny users="?" />
                  </authorization>
      <!-- SessionState -->
            <sessionState
                  mode="InProc"
                  stateConnectionString="tcpip=127.0.0.1:42424"
                  sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes"
                  cookieless="false"
                  timeout="20"
            />
      </system.web>
</location>
</configuration>
0
tusharashahCommented:
Almost! just put your <sessionState> at root level. Dont worry there will not be any performance issue.

-tushar
0
matthersjrAuthor Commented:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
     <!-- custom app settings SQLConnection = sql server connection string for remote sql server -->
          <appSettings>
               <add key="SQLConnection" value="user id=webone; password=webone;database=weblogin;server=devsqlserver\LOCAL;Connect Timeout=30;" />
          </appSettings>

<!-- public side: -->
<system.web>
     <!-- HTTP Runtime -->
          <httpRuntime useFullyQualifiedRedirectUrl="false" />
     <!-- Pages -->
          <pages enableViewState="false" smartNavigation="false"/>
     <!-- Custom Errors -->
          <customErrors defaultRedirect="error.aspx" mode="RemoteOnly">
               <error statusCode="500" redirect="500error.aspx"/>
               <error statusCode="404" redirect="404berror.aspx"/>
          </customErrors>
     <!-- Authentication -->
          <authentication mode="Forms">
               <forms loginUrl="login.aspx" name="MemberLogin" protection="All" path="/" timeout="300" />
          </authentication>
     <!-- Identity -->
          <identity impersonate="false"/>
     <!-- Authorization -->
          <authorization>
               <allow users="*" />
          </authorization>
<!-- SessionState -->
          <sessionState
               mode="InProc"
               stateConnectionString="tcpip=127.0.0.1:42424"
               sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes"
               cookieless="false"
               timeout="20"
          />
</system.web>



<!-- private side: -->
<location path="members">
     <system.web>
          <!-- Authorization -->
               <authorization>
                    <deny users="?" />
               </authorization>
          </system.web>
</location>
</configuration>
0
tusharashahCommented:
You're all set!

-tushar
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
matthersjrAuthor Commented:
tushar,

thanks.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
.NET Programming

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.