• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 481
  • Last Modified:

web config help

My development environment consists of 2 separate servers (sql 2000 server and iis6 server).
1. iis6 web server
2. sql 2k server

iis6 directory structure:
wwwroot/
      default.aspx
      web.config
      error.aspx
      404berror.aspx
      500error.aspx
      login.aspx
      members/default.aspx
      images/
      css/
      bin/

What is the best method for setting up a webconfig file so that I have a public side and a member folder?

below is my webconfig file.
-------------------------------
<?xml version="1.0" encoding="utf-8" ?>
<!-- public webconfig for asp.net/vb.net app-->
<configuration>
      <!--
      custom app settings
      SQLConnection = sql server connection string for remote sql server
      -->
      <appSettings>
      <add key="SQLConnection" value="user id=webone; password=webone;database=weblogin;server=devsqlserver\LOCAL;Connect Timeout=30;" />
      </appSettings>

<location path="members">
      <system.web>
      <!-- Trace -->            
            <trace
            enabled="false"
            localOnly="true"
            pageOutput="false"
            requestLimit="10"
            traceMode="SortByTime"
            />
            
      <!-- Globaliztion -->            
            <globalization
            culture="en-US"
            requestEncoding="utf-8"
            responseEncoding="utf-8"
            uiCulture="en-US"
            />
            
            <!-- HTTP Runtime -->
            <httpRuntime
                  appRequestQueueLimit="100"
                  executionTimeout="90"
                  maxRequestLength="4096"
                  minFreeThreads="8"
                  minLocalRequestFreeThreads="4"
                  useFullyQualifiedRedirectUrl="false"
            />
      
       <!-- Compilation -->
      <compilation
            batch="true"
            batchTimeout="15"
            debug="false"
            defaultLanguage="vb"
            explicit="true"
            numRecompilesBeforeAppRestart="15"
            strict="false"
            tempDirectory="C:\temp">
            <compilers>
                  <compiler extension=".vb" language="vb;vbs;visualbasic;vbscript" type="Microsoft.VisualBasic.VBCodeProvider, System, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
            </compilers>
            </compilation>
            
            <!-- Page config settings -->
            <pages
                  autoEventWireup="true"
                  buffer="true"
                  enableSessionState="false"
                  enableViewState="false"
                  smartNavigation="false"
                  validateRequest="true"
            />
                  
       <!-- Custom Errors -->
            <customErrors
                  defaultRedirect="error.aspx"
                  mode="RemoteOnly">
                  <error statusCode="500"
                redirect="500error.aspx"/>
            <error statusCode="404"
                redirect="404berror.aspx"/>
            </customErrors>
            
       <!-- Authentication -->
            <authentication
            mode="Forms">
             <forms
                        loginUrl="login.aspx"
                        name="MemberLogin"
                        path="/"
                        protection="All"
                        timeout="20">
                  <credentials
                  passwordFormat="SHA1">
                  </credentials>            
            </forms>
            </authentication>
      
       <!-- Identity
       -->
            <identity
              impersonate="false"
            />
     
       <!-- Authorization      -->
            <authorization>
                  <deny users="?" />
            </authorization>
            
      <sessionState
                  mode="InProc"
                  stateConnectionString="tcpip=127.0.0.1:42424"
                  sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes"
                  cookieless="false"
                  timeout="20"
            />
            
      </system.web>
  </location>
</configuration>
--------------------

Also, would it be wise to have authentication on the public side mode="none" for performance?

<!--??<authentication
            mode="None">
            </authentication>?? if public is select only wouldn't this enhance performance?-->
      
0
matthersjr
Asked:
matthersjr
  • 6
  • 4
1 Solution
 
tusharashahCommented:
You do not need every element inside <location> of your member subarea. .. your web.config should look like following

----------------------------------------------------------------------------------------------------------------------------------------
<!--Web.Config -->
<configuration>

 <system.web> <!-- This is default system.web Put everything inside here -->
     ................
     ...............
   <authentication mode="Forms">    
         <forms loginUrl="login.aspx" name="MemberLogin" protection="All" path="/" timeout="300"/>    
   </authentication>

    <authorization>
               <allow users="*" />   <!-- This is for your Root folder -->
     </authorization>

 </system.web>

 <location path="members"> <!-- You dont need anything else but authorization over here -->
   <system.web>
        <authorization>
            <allow users="?" />
        </authorization>
    </system.web>
 </location>

</configuration>
----------------------------------------------------------------------------------------------------------------------------------------

-tushar
0
 
tusharashahCommented:
CORRECTION
<location path="members"> <!-- You dont need anything else but authorization over here -->
   <system.web>
        <authorization>
            <allow users="?" />
        </authorization>
    </system.web>
 </location>

SHOULD BE:
<location path="members"> <!-- You dont need anything else but authorization over here -->
   <system.web>
        <authorization>
            <deny users="?" />   <!-- Need to deny Unauthenticated Users here -->
        </authorization>
    </system.web>
 </location>

-tushar
0
 
matthersjrAuthor Commented:
Public:
1. Set enableSessionState and enableViewState to false for performance?
2. Would credentials allow the password to be encrypted or is there another method of encrypting the userid and password?

Private:
1. <authentication mode="None"> - Would this be appropriate since the authentication already took place?
2. Set enableSessionState and enableViewState to true?
3. Pathes for the error pages appropriate?
4. Is the SessionState code appropriate?

See web.config below.
---------------
<configuration>
<appSettings>
  <add key="SQLConnection" value="user id=webone; password=webone;database=weblogin;server=devsqlserver\LOCAL;Connect Timeout=30;" />
</appSettings>

<!-- public side: -->
<system.web>
<httpRuntime useFullyQualifiedRedirectUrl="false" />
<pages autoEventWireup="true" buffer="true" enableSessionState="false" enableViewState="false" smartNavigation="false"

validateRequest="true"/>
<customErrors defaultRedirect="error.aspx" mode="RemoteOnly">
  <error statusCode="500" redirect="500error.aspx"/>
  <error statusCode="404" redirect="404berror.aspx"/>
</customErrors>
<authentication mode="Forms">
  <forms loginUrl="login.aspx" name="MemberLogin" protection="All" path="/" timeout="300">
    <credentials passwordFormat="SHA1"></credentials>
  </forms>    
</authentication>
<identity impersonate="false"/>
<authorization>
  <allow users="*" />
</authorization>
</system.web>

<!-- private side: -->
<location path="members">
<system.web>
<httpRuntime useFullyQualifiedRedirectUrl="false" />
<pages autoEventWireup="true" buffer="true" enableSessionState="true" enableViewState="true" smartNavigation="false"

validateRequest="true"/>
<customErrors defaultRedirect="../error.aspx" mode="RemoteOnly">
  <error statusCode="500" redirect="../500error.aspx"/>
  <error statusCode="404" redirect="../404berror.aspx"/>
</customErrors>
<identity impersonate="false" />
<authorization>
  <deny users="?" />
</authorization>
<sessionState mode="InProc" stateConnectionString="tcpip=127.0.0.1:42424" sqlConnectionString="data

source=127.0.0.1;Trusted_Connection=yes" cookieless="false" timeout="20"/>
</system.web>
</location>

</configuration>
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
tusharashahCommented:
Again, as long as anything is inside your main web.config you do not need to write it again inside <location> or subfolder's web.config.

Public:
1. Set enableSessionState and enableViewState to false for performance?
--> setting enableViewState to false will boost performance.
--> enableSessionState wont hurt as long as you do not store any BIG Session variable
--> Also, you'll need it for FormAuthenticatoin

2. Would credentials allow the password to be encrypted or is there another method of encrypting the userid and password?
--> No, you'll have to write down some method for that

Private:
1. <authentication mode="None"> - Would this be appropriate since the authentication already took place?
--> Not Required & you shouldn't put it in here. Leave this tag.

2. Set enableSessionState and enableViewState to true?
--> enableSessionState is true by default. (yes you'll need it true)
--> enableViewState: true/false dosent matter, base upon your requirement

3. Pathes for the error pages appropriate?
--> You just need these path at Main level.

4. Is the SessionState code appropriate?
-->  Yes!

-tushar
0
 
tusharashahCommented:
You can modify your web.config like following

------------------------------------------------
<configuration>
<appSettings>
  <add key="SQLConnection" value="user id=webone; password=webone;database=weblogin;server=devsqlserver\LOCAL;Connect Timeout=30;" />
</appSettings>

<!-- public side: -->
<system.web>
<httpRuntime useFullyQualifiedRedirectUrl="false" />
<pages enableViewState="false" smartNavigation="false"/> <!-- other properties were set to default so no need to mention here -->

<customErrors defaultRedirect="error.aspx" mode="RemoteOnly">
  <error statusCode="500" redirect="500error.aspx"/>
  <error statusCode="404" redirect="404berror.aspx"/>
</customErrors>

<authentication mode="Forms">
  <forms loginUrl="login.aspx" name="MemberLogin" protection="All" path="/" timeout="300">
<!--    <credentials passwordFormat="SHA1"></credentials> -->
  </forms>    
</authentication>

<identity impersonate="false"/>

<authorization>
  <allow users="*" />
</authorization>

</system.web>

<!-- private side: -->
<location path="members">
<!-- All other attributes will be inherrited automatically from above -->
  <system.web>
       <authorization>
         <deny users="?" />
       </authorization>
  </system.web>
</location>

</configuration>
0
 
matthersjrAuthor Commented:
would the following be a winner?

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
      <!-- custom app settings SQLConnection = sql server connection string for remote sql server -->
            <appSettings>
                  <add key="SQLConnection" value="user id=webone; password=webone;database=weblogin;server=devsqlserver\LOCAL;Connect Timeout=30;" />
            </appSettings>

<!-- public side: -->
<system.web>
      <!-- HTTP Runtime -->
            <httpRuntime useFullyQualifiedRedirectUrl="false" />
      <!-- Pages -->
            <pages enableViewState="false" smartNavigation="false"/>
      <!-- Custom Errors -->
            <customErrors defaultRedirect="error.aspx" mode="RemoteOnly">
                  <error statusCode="500" redirect="500error.aspx"/>
                  <error statusCode="404" redirect="404berror.aspx"/>
            </customErrors>
      <!-- Authentication -->
            <authentication mode="Forms">
                  <forms loginUrl="login.aspx" name="MemberLogin" protection="All" path="/" timeout="300" />
            </authentication>
      <!-- Identity -->
            <identity impersonate="false"/>
      <!-- Authorization -->
            <authorization>
                  <allow users="*" />
            </authorization>
</system.web>



<!-- private side: -->
<location path="members">
      <system.web>
            <!-- Authorization -->
                  <authorization>
                        <deny users="?" />
                  </authorization>
      <!-- SessionState -->
            <sessionState
                  mode="InProc"
                  stateConnectionString="tcpip=127.0.0.1:42424"
                  sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes"
                  cookieless="false"
                  timeout="20"
            />
      </system.web>
</location>
</configuration>
0
 
tusharashahCommented:
Almost! just put your <sessionState> at root level. Dont worry there will not be any performance issue.

-tushar
0
 
matthersjrAuthor Commented:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
     <!-- custom app settings SQLConnection = sql server connection string for remote sql server -->
          <appSettings>
               <add key="SQLConnection" value="user id=webone; password=webone;database=weblogin;server=devsqlserver\LOCAL;Connect Timeout=30;" />
          </appSettings>

<!-- public side: -->
<system.web>
     <!-- HTTP Runtime -->
          <httpRuntime useFullyQualifiedRedirectUrl="false" />
     <!-- Pages -->
          <pages enableViewState="false" smartNavigation="false"/>
     <!-- Custom Errors -->
          <customErrors defaultRedirect="error.aspx" mode="RemoteOnly">
               <error statusCode="500" redirect="500error.aspx"/>
               <error statusCode="404" redirect="404berror.aspx"/>
          </customErrors>
     <!-- Authentication -->
          <authentication mode="Forms">
               <forms loginUrl="login.aspx" name="MemberLogin" protection="All" path="/" timeout="300" />
          </authentication>
     <!-- Identity -->
          <identity impersonate="false"/>
     <!-- Authorization -->
          <authorization>
               <allow users="*" />
          </authorization>
<!-- SessionState -->
          <sessionState
               mode="InProc"
               stateConnectionString="tcpip=127.0.0.1:42424"
               sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes"
               cookieless="false"
               timeout="20"
          />
</system.web>



<!-- private side: -->
<location path="members">
     <system.web>
          <!-- Authorization -->
               <authorization>
                    <deny users="?" />
               </authorization>
          </system.web>
</location>
</configuration>
0
 
tusharashahCommented:
You're all set!

-tushar
0
 
matthersjrAuthor Commented:
tushar,

thanks.
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

  • 6
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now