matthersjr
asked on
web config help
My development environment consists of 2 separate servers (sql 2000 server and iis6 server).
1. iis6 web server
2. sql 2k server
iis6 directory structure:
wwwroot/
default.aspx
web.config
error.aspx
404berror.aspx
500error.aspx
login.aspx
members/default.aspx
images/
css/
bin/
What is the best method for setting up a webconfig file so that I have a public side and a member folder?
below is my webconfig file.
-------------------------- -----
<?xml version="1.0" encoding="utf-8" ?>
<!-- public webconfig for asp.net/vb.net app-->
<configuration>
<!--
custom app settings
SQLConnection = sql server connection string for remote sql server
-->
<appSettings>
<add key="SQLConnection" value="user id=webone; password=webone;database=w eblogin;se rver=devsq lserver\LO CAL;Connec t Timeout=30;" />
</appSettings>
<location path="members">
<system.web>
<!-- Trace -->
<trace
enabled="false"
localOnly="true"
pageOutput="false"
requestLimit="10"
traceMode="SortByTime"
/>
<!-- Globaliztion -->
<globalization
culture="en-US"
requestEncoding="utf-8"
responseEncoding="utf-8"
uiCulture="en-US"
/>
<!-- HTTP Runtime -->
<httpRuntime
appRequestQueueLimit="100"
executionTimeout="90"
maxRequestLength="4096"
minFreeThreads="8"
minLocalRequestFreeThreads ="4"
useFullyQualifiedRedirectU rl="false"
/>
<!-- Compilation -->
<compilation
batch="true"
batchTimeout="15"
debug="false"
defaultLanguage="vb"
explicit="true"
numRecompilesBeforeAppRest art="15"
strict="false"
tempDirectory="C:\temp">
<compilers>
<compiler extension=".vb" language="vb;vbs;visualbas ic;vbscrip t" type="Microsoft.VisualBasi c.VBCodePr ovider, System, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c56193 4e089" />
</compilers>
</compilation>
<!-- Page config settings -->
<pages
autoEventWireup="true"
buffer="true"
enableSessionState="false"
enableViewState="false"
smartNavigation="false"
validateRequest="true"
/>
<!-- Custom Errors -->
<customErrors
defaultRedirect="error.asp x"
mode="RemoteOnly">
<error statusCode="500"
redirect="500error.aspx"/>
<error statusCode="404"
redirect="404berror.aspx"/ >
</customErrors>
<!-- Authentication -->
<authentication
mode="Forms">
<forms
loginUrl="login.aspx"
name="MemberLogin"
path="/"
protection="All"
timeout="20">
<credentials
passwordFormat="SHA1">
</credentials>
</forms>
</authentication>
<!-- Identity
-->
<identity
impersonate="false"
/>
<!-- Authorization -->
<authorization>
<deny users="?" />
</authorization>
<sessionState
mode="InProc"
stateConnectionString="tcp ip=127.0.0 .1:42424"
sqlConnectionString="data source=127.0.0.1;Trusted_C onnection= yes"
cookieless="false"
timeout="20"
/>
</system.web>
</location>
</configuration>
--------------------
Also, would it be wise to have authentication on the public side mode="none" for performance?
<!--??<authentication
mode="None">
</authentication>?? if public is select only wouldn't this enhance performance?-->
1. iis6 web server
2. sql 2k server
iis6 directory structure:
wwwroot/
default.aspx
web.config
error.aspx
404berror.aspx
500error.aspx
login.aspx
members/default.aspx
images/
css/
bin/
What is the best method for setting up a webconfig file so that I have a public side and a member folder?
below is my webconfig file.
--------------------------
<?xml version="1.0" encoding="utf-8" ?>
<!-- public webconfig for asp.net/vb.net app-->
<configuration>
<!--
custom app settings
SQLConnection = sql server connection string for remote sql server
-->
<appSettings>
<add key="SQLConnection" value="user id=webone; password=webone;database=w
</appSettings>
<location path="members">
<system.web>
<!-- Trace -->
<trace
enabled="false"
localOnly="true"
pageOutput="false"
requestLimit="10"
traceMode="SortByTime"
/>
<!-- Globaliztion -->
<globalization
culture="en-US"
requestEncoding="utf-8"
responseEncoding="utf-8"
uiCulture="en-US"
/>
<!-- HTTP Runtime -->
<httpRuntime
appRequestQueueLimit="100"
executionTimeout="90"
maxRequestLength="4096"
minFreeThreads="8"
minLocalRequestFreeThreads
useFullyQualifiedRedirectU
/>
<!-- Compilation -->
<compilation
batch="true"
batchTimeout="15"
debug="false"
defaultLanguage="vb"
explicit="true"
numRecompilesBeforeAppRest
strict="false"
tempDirectory="C:\temp">
<compilers>
<compiler extension=".vb" language="vb;vbs;visualbas
</compilers>
</compilation>
<!-- Page config settings -->
<pages
autoEventWireup="true"
buffer="true"
enableSessionState="false"
enableViewState="false"
smartNavigation="false"
validateRequest="true"
/>
<!-- Custom Errors -->
<customErrors
defaultRedirect="error.asp
mode="RemoteOnly">
<error statusCode="500"
redirect="500error.aspx"/>
<error statusCode="404"
redirect="404berror.aspx"/
</customErrors>
<!-- Authentication -->
<authentication
mode="Forms">
<forms
loginUrl="login.aspx"
name="MemberLogin"
path="/"
protection="All"
timeout="20">
<credentials
passwordFormat="SHA1">
</credentials>
</forms>
</authentication>
<!-- Identity
-->
<identity
impersonate="false"
/>
<!-- Authorization -->
<authorization>
<deny users="?" />
</authorization>
<sessionState
mode="InProc"
stateConnectionString="tcp
sqlConnectionString="data source=127.0.0.1;Trusted_C
cookieless="false"
timeout="20"
/>
</system.web>
</location>
</configuration>
--------------------
Also, would it be wise to have authentication on the public side mode="none" for performance?
<!--??<authentication
mode="None">
</authentication>?? if public is select only wouldn't this enhance performance?-->
CORRECTION
<location path="members"> <!-- You dont need anything else but authorization over here -->
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
SHOULD BE:
<location path="members"> <!-- You dont need anything else but authorization over here -->
<system.web>
<authorization>
<deny users="?" /> <!-- Need to deny Unauthenticated Users here -->
</authorization>
</system.web>
</location>
-tushar
<location path="members"> <!-- You dont need anything else but authorization over here -->
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
SHOULD BE:
<location path="members"> <!-- You dont need anything else but authorization over here -->
<system.web>
<authorization>
<deny users="?" /> <!-- Need to deny Unauthenticated Users here -->
</authorization>
</system.web>
</location>
-tushar
ASKER
Public:
1. Set enableSessionState and enableViewState to false for performance?
2. Would credentials allow the password to be encrypted or is there another method of encrypting the userid and password?
Private:
1. <authentication mode="None"> - Would this be appropriate since the authentication already took place?
2. Set enableSessionState and enableViewState to true?
3. Pathes for the error pages appropriate?
4. Is the SessionState code appropriate?
See web.config below.
---------------
<configuration>
<appSettings>
<add key="SQLConnection" value="user id=webone; password=webone;database=w eblogin;se rver=devsq lserver\LO CAL;Connec t Timeout=30;" />
</appSettings>
<!-- public side: -->
<system.web>
<httpRuntime useFullyQualifiedRedirectU rl="false" />
<pages autoEventWireup="true" buffer="true" enableSessionState="false" enableViewState="false" smartNavigation="false"
validateRequest="true"/>
<customErrors defaultRedirect="error.asp x" mode="RemoteOnly">
<error statusCode="500" redirect="500error.aspx"/>
<error statusCode="404" redirect="404berror.aspx"/ >
</customErrors>
<authentication mode="Forms">
<forms loginUrl="login.aspx" name="MemberLogin" protection="All" path="/" timeout="300">
<credentials passwordFormat="SHA1"></cr edentials>
</forms>
</authentication>
<identity impersonate="false"/>
<authorization>
<allow users="*" />
</authorization>
</system.web>
<!-- private side: -->
<location path="members">
<system.web>
<httpRuntime useFullyQualifiedRedirectU rl="false" />
<pages autoEventWireup="true" buffer="true" enableSessionState="true" enableViewState="true" smartNavigation="false"
validateRequest="true"/>
<customErrors defaultRedirect="../error. aspx" mode="RemoteOnly">
<error statusCode="500" redirect="../500error.aspx "/>
<error statusCode="404" redirect="../404berror.asp x"/>
</customErrors>
<identity impersonate="false" />
<authorization>
<deny users="?" />
</authorization>
<sessionState mode="InProc" stateConnectionString="tcp ip=127.0.0 .1:42424" sqlConnectionString="data
source=127.0.0.1;Trusted_C onnection= yes" cookieless="false" timeout="20"/>
</system.web>
</location>
</configuration>
1. Set enableSessionState and enableViewState to false for performance?
2. Would credentials allow the password to be encrypted or is there another method of encrypting the userid and password?
Private:
1. <authentication mode="None"> - Would this be appropriate since the authentication already took place?
2. Set enableSessionState and enableViewState to true?
3. Pathes for the error pages appropriate?
4. Is the SessionState code appropriate?
See web.config below.
---------------
<configuration>
<appSettings>
<add key="SQLConnection" value="user id=webone; password=webone;database=w
</appSettings>
<!-- public side: -->
<system.web>
<httpRuntime useFullyQualifiedRedirectU
<pages autoEventWireup="true" buffer="true" enableSessionState="false"
validateRequest="true"/>
<customErrors defaultRedirect="error.asp
<error statusCode="500" redirect="500error.aspx"/>
<error statusCode="404" redirect="404berror.aspx"/
</customErrors>
<authentication mode="Forms">
<forms loginUrl="login.aspx" name="MemberLogin" protection="All" path="/" timeout="300">
<credentials passwordFormat="SHA1"></cr
</forms>
</authentication>
<identity impersonate="false"/>
<authorization>
<allow users="*" />
</authorization>
</system.web>
<!-- private side: -->
<location path="members">
<system.web>
<httpRuntime useFullyQualifiedRedirectU
<pages autoEventWireup="true" buffer="true" enableSessionState="true" enableViewState="true" smartNavigation="false"
validateRequest="true"/>
<customErrors defaultRedirect="../error.
<error statusCode="500" redirect="../500error.aspx
<error statusCode="404" redirect="../404berror.asp
</customErrors>
<identity impersonate="false" />
<authorization>
<deny users="?" />
</authorization>
<sessionState mode="InProc" stateConnectionString="tcp
source=127.0.0.1;Trusted_C
</system.web>
</location>
</configuration>
Again, as long as anything is inside your main web.config you do not need to write it again inside <location> or subfolder's web.config.
Public:
1. Set enableSessionState and enableViewState to false for performance?
--> setting enableViewState to false will boost performance.
--> enableSessionState wont hurt as long as you do not store any BIG Session variable
--> Also, you'll need it for FormAuthenticatoin
2. Would credentials allow the password to be encrypted or is there another method of encrypting the userid and password?
--> No, you'll have to write down some method for that
Private:
1. <authentication mode="None"> - Would this be appropriate since the authentication already took place?
--> Not Required & you shouldn't put it in here. Leave this tag.
2. Set enableSessionState and enableViewState to true?
--> enableSessionState is true by default. (yes you'll need it true)
--> enableViewState: true/false dosent matter, base upon your requirement
3. Pathes for the error pages appropriate?
--> You just need these path at Main level.
4. Is the SessionState code appropriate?
--> Yes!
-tushar
Public:
1. Set enableSessionState and enableViewState to false for performance?
--> setting enableViewState to false will boost performance.
--> enableSessionState wont hurt as long as you do not store any BIG Session variable
--> Also, you'll need it for FormAuthenticatoin
2. Would credentials allow the password to be encrypted or is there another method of encrypting the userid and password?
--> No, you'll have to write down some method for that
Private:
1. <authentication mode="None"> - Would this be appropriate since the authentication already took place?
--> Not Required & you shouldn't put it in here. Leave this tag.
2. Set enableSessionState and enableViewState to true?
--> enableSessionState is true by default. (yes you'll need it true)
--> enableViewState: true/false dosent matter, base upon your requirement
3. Pathes for the error pages appropriate?
--> You just need these path at Main level.
4. Is the SessionState code appropriate?
--> Yes!
-tushar
You can modify your web.config like following
-------------------------- ---------- ---------- --
<configuration>
<appSettings>
<add key="SQLConnection" value="user id=webone; password=webone;database=w eblogin;se rver=devsq lserver\LO CAL;Connec t Timeout=30;" />
</appSettings>
<!-- public side: -->
<system.web>
<httpRuntime useFullyQualifiedRedirectU rl="false" />
<pages enableViewState="false" smartNavigation="false"/> <!-- other properties were set to default so no need to mention here -->
<customErrors defaultRedirect="error.asp x" mode="RemoteOnly">
<error statusCode="500" redirect="500error.aspx"/>
<error statusCode="404" redirect="404berror.aspx"/ >
</customErrors>
<authentication mode="Forms">
<forms loginUrl="login.aspx" name="MemberLogin" protection="All" path="/" timeout="300">
<!-- <credentials passwordFormat="SHA1"></cr edentials> -->
</forms>
</authentication>
<identity impersonate="false"/>
<authorization>
<allow users="*" />
</authorization>
</system.web>
<!-- private side: -->
<location path="members">
<!-- All other attributes will be inherrited automatically from above -->
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
</configuration>
--------------------------
<configuration>
<appSettings>
<add key="SQLConnection" value="user id=webone; password=webone;database=w
</appSettings>
<!-- public side: -->
<system.web>
<httpRuntime useFullyQualifiedRedirectU
<pages enableViewState="false" smartNavigation="false"/> <!-- other properties were set to default so no need to mention here -->
<customErrors defaultRedirect="error.asp
<error statusCode="500" redirect="500error.aspx"/>
<error statusCode="404" redirect="404berror.aspx"/
</customErrors>
<authentication mode="Forms">
<forms loginUrl="login.aspx" name="MemberLogin" protection="All" path="/" timeout="300">
<!-- <credentials passwordFormat="SHA1"></cr
</forms>
</authentication>
<identity impersonate="false"/>
<authorization>
<allow users="*" />
</authorization>
</system.web>
<!-- private side: -->
<location path="members">
<!-- All other attributes will be inherrited automatically from above -->
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
</configuration>
ASKER
would the following be a winner?
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<!-- custom app settings SQLConnection = sql server connection string for remote sql server -->
<appSettings>
<add key="SQLConnection" value="user id=webone; password=webone;database=w eblogin;se rver=devsq lserver\LO CAL;Connec t Timeout=30;" />
</appSettings>
<!-- public side: -->
<system.web>
<!-- HTTP Runtime -->
<httpRuntime useFullyQualifiedRedirectU rl="false" />
<!-- Pages -->
<pages enableViewState="false" smartNavigation="false"/>
<!-- Custom Errors -->
<customErrors defaultRedirect="error.asp x" mode="RemoteOnly">
<error statusCode="500" redirect="500error.aspx"/>
<error statusCode="404" redirect="404berror.aspx"/ >
</customErrors>
<!-- Authentication -->
<authentication mode="Forms">
<forms loginUrl="login.aspx" name="MemberLogin" protection="All" path="/" timeout="300" />
</authentication>
<!-- Identity -->
<identity impersonate="false"/>
<!-- Authorization -->
<authorization>
<allow users="*" />
</authorization>
</system.web>
<!-- private side: -->
<location path="members">
<system.web>
<!-- Authorization -->
<authorization>
<deny users="?" />
</authorization>
<!-- SessionState -->
<sessionState
mode="InProc"
stateConnectionString="tcp ip=127.0.0 .1:42424"
sqlConnectionString="data source=127.0.0.1;Trusted_C onnection= yes"
cookieless="false"
timeout="20"
/>
</system.web>
</location>
</configuration>
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<!-- custom app settings SQLConnection = sql server connection string for remote sql server -->
<appSettings>
<add key="SQLConnection" value="user id=webone; password=webone;database=w
</appSettings>
<!-- public side: -->
<system.web>
<!-- HTTP Runtime -->
<httpRuntime useFullyQualifiedRedirectU
<!-- Pages -->
<pages enableViewState="false" smartNavigation="false"/>
<!-- Custom Errors -->
<customErrors defaultRedirect="error.asp
<error statusCode="500" redirect="500error.aspx"/>
<error statusCode="404" redirect="404berror.aspx"/
</customErrors>
<!-- Authentication -->
<authentication mode="Forms">
<forms loginUrl="login.aspx" name="MemberLogin" protection="All" path="/" timeout="300" />
</authentication>
<!-- Identity -->
<identity impersonate="false"/>
<!-- Authorization -->
<authorization>
<allow users="*" />
</authorization>
</system.web>
<!-- private side: -->
<location path="members">
<system.web>
<!-- Authorization -->
<authorization>
<deny users="?" />
</authorization>
<!-- SessionState -->
<sessionState
mode="InProc"
stateConnectionString="tcp
sqlConnectionString="data source=127.0.0.1;Trusted_C
cookieless="false"
timeout="20"
/>
</system.web>
</location>
</configuration>
Almost! just put your <sessionState> at root level. Dont worry there will not be any performance issue.
-tushar
-tushar
ASKER
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<!-- custom app settings SQLConnection = sql server connection string for remote sql server -->
<appSettings>
<add key="SQLConnection" value="user id=webone; password=webone;database=w eblogin;se rver=devsq lserver\LO CAL;Connec t Timeout=30;" />
</appSettings>
<!-- public side: -->
<system.web>
<!-- HTTP Runtime -->
<httpRuntime useFullyQualifiedRedirectU rl="false" />
<!-- Pages -->
<pages enableViewState="false" smartNavigation="false"/>
<!-- Custom Errors -->
<customErrors defaultRedirect="error.asp x" mode="RemoteOnly">
<error statusCode="500" redirect="500error.aspx"/>
<error statusCode="404" redirect="404berror.aspx"/ >
</customErrors>
<!-- Authentication -->
<authentication mode="Forms">
<forms loginUrl="login.aspx" name="MemberLogin" protection="All" path="/" timeout="300" />
</authentication>
<!-- Identity -->
<identity impersonate="false"/>
<!-- Authorization -->
<authorization>
<allow users="*" />
</authorization>
<!-- SessionState -->
<sessionState
mode="InProc"
stateConnectionString="tcp ip=127.0.0 .1:42424"
sqlConnectionString="data source=127.0.0.1;Trusted_C onnection= yes"
cookieless="false"
timeout="20"
/>
</system.web>
<!-- private side: -->
<location path="members">
<system.web>
<!-- Authorization -->
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
</configuration>
<configuration>
<!-- custom app settings SQLConnection = sql server connection string for remote sql server -->
<appSettings>
<add key="SQLConnection" value="user id=webone; password=webone;database=w
</appSettings>
<!-- public side: -->
<system.web>
<!-- HTTP Runtime -->
<httpRuntime useFullyQualifiedRedirectU
<!-- Pages -->
<pages enableViewState="false" smartNavigation="false"/>
<!-- Custom Errors -->
<customErrors defaultRedirect="error.asp
<error statusCode="500" redirect="500error.aspx"/>
<error statusCode="404" redirect="404berror.aspx"/
</customErrors>
<!-- Authentication -->
<authentication mode="Forms">
<forms loginUrl="login.aspx" name="MemberLogin" protection="All" path="/" timeout="300" />
</authentication>
<!-- Identity -->
<identity impersonate="false"/>
<!-- Authorization -->
<authorization>
<allow users="*" />
</authorization>
<!-- SessionState -->
<sessionState
mode="InProc"
stateConnectionString="tcp
sqlConnectionString="data source=127.0.0.1;Trusted_C
cookieless="false"
timeout="20"
/>
</system.web>
<!-- private side: -->
<location path="members">
<system.web>
<!-- Authorization -->
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
</configuration>
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
tushar,
thanks.
thanks.
--------------------------
<!--Web.Config -->
<configuration>
<system.web> <!-- This is default system.web Put everything inside here -->
................
...............
<authentication mode="Forms">
<forms loginUrl="login.aspx" name="MemberLogin" protection="All" path="/" timeout="300"/>
</authentication>
<authorization>
<allow users="*" /> <!-- This is for your Root folder -->
</authorization>
</system.web>
<location path="members"> <!-- You dont need anything else but authorization over here -->
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
</configuration>
--------------------------
-tushar