[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 267
  • Last Modified:

SECURE CONNECTION STRING

Hi All,

I want to secure connection string in both web and windows app.

How could I do it ?

Thank you.
0
emi_sastra
Asked:
emi_sastra
  • 11
  • 9
2 Solutions
 
Éric MoreauSenior .Net ConsultantCommented:
0
 
emi_sastraAuthor Commented:
Hi emoreau,

Nice code.
Should we put the connection into dll (or something else) after encrypt it and decrypt in on the fly at runtime?

Thank you.
0
 
Éric MoreauSenior .Net ConsultantCommented:
I never put connection strings into DLL. If you have to change it, you would need to recompile!
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
emi_sastraAuthor Commented:
On exe file. If connection is not encrypted then it could be seen using some tools.

How to overcome this problem ?

Thank you.
0
 
Éric MoreauSenior .Net ConsultantCommented:
if you are using a connection string with sensible information that should not be seen in any case, you should use integrated security (control access to the database objects from within the database). otherwise, your connection string will always at some point be decrypted and sent to the sql server in clear text.
0
 
Éric MoreauSenior .Net ConsultantCommented:
0
 
emi_sastraAuthor Commented:
- if you are using a connection string with sensible information that should not be seen in any case, you should use integrated security (control access to the database objects from within the database).
You mean stored procedure ?

- otherwise, your connection string will always at some point be decrypted and sent to the sql server in clear text.
How could we/someone see it ?

Thank you.
0
 
emi_sastraAuthor Commented:
Nice links.

Thanks.
0
 
emi_sastraAuthor Commented:
- connectionString="Data Source=moer-i1520\sql1008; Initial Catalog=TestDB; Integrated Security=SSPI"
This is not encrypted.

should be like

 connectionString="mcQKhSSzcMP9199vA8Bod1/y6VJrZNL3m4AQiDHwonHyuSUctBQY/cgOz5rakHa2d5mVKSSxdE2RjDDB0DxKUsoWbddaeej6ufY6fUj6ACmwJQyiB+I3OA=="

Encrypt it first and put it in connection string ?

Thank you.
0
 
Éric MoreauSenior .Net ConsultantCommented:
to get the encrypted connection string, download the sample with my article. it contains an example. but this connection string will be decrypted in memory at some point and sent to the SQL server in clear text at some point.


>>How could we/someone see it ?

by sniffing the network
0
 
emi_sastraAuthor Commented:
to get the encrypted connection string, download the sample with my article. it contains an example. but this connection string will be decrypted in memory at some point and sent to the SQL server in clear text at some point.


>>How could we/someone see it ?

by sniffing the network

Thus, there is no secure way at all ?

Thank you.
0
 
Éric MoreauSenior .Net ConsultantCommented:
99.99999% of the users won't ever be able to see the connection string. For years, I have encrypted my connection string in my .config file and never got any problems.

the most secure way is to use Windows Authentication  (your windows credentials are used to be authenticated on the Server).
0
 
emi_sastraAuthor Commented:
I see.

How about for web app ?
Use the same method ?

Thank you.
0
 
Éric MoreauSenior .Net ConsultantCommented:
web app is usually more simpler as the .config file is only on the server which should be secured by itself.

but you can always encrypt it if you want: http://www.codeproject.com/KB/aspnet/webconfig.aspx
0
 
emi_sastraAuthor Commented:
Using conn as sqlconnection = new sqlconnection(strConnetion)

End Using

This is done at server or at client ? Is it visible by sniffer ?

Thank you.

0
 
emi_sastraAuthor Commented:
I am talking about web app for the above questions ?

Thank you.
0
 
Éric MoreauSenior .Net ConsultantCommented:
This is also what I thought. Your connection string is always located on the web server and never sent to the browser. Your connection string is only used by the code on the server and unless you render it yourself on a page, it is never sent to the client.
0
 
emi_sastraAuthor Commented:
- unless you render it yourself on a page
For example ?

Thank you.
0
 
Éric MoreauSenior .Net ConsultantCommented:
mylabel.text = YourDecryptedConnectionStringVariable
0
 
emi_sastraAuthor Commented:
I see.

Great.

Thank you very much for your help.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 11
  • 9
Tackle projects and never again get stuck behind a technical roadblock.
Join Now